diff --git a/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml b/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml index a87f0f2af..a826142f5 100644 --- a/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: \Software\Sysinternals\SDelete + OperationType: '%%1904' + ObjectName|contains: \Software\Sysinternals\SDelete condition: registry_add and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml b/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml index f223ef50e..7cc987ba5 100644 --- a/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml +++ b/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security main_selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart - \Software\Wow6432Node\Microsoft\Command Processor\Autorun - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components @@ -39,9 +39,9 @@ detection: - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32 - \Control Panel\Desktop\Scrnsave.exe session_manager_base: - TargetObject|contains: \System\CurrentControlSet\Control\Session Manager + ObjectName|contains: \System\CurrentControlSet\Control\Session Manager session_manager: - TargetObject|contains: + ObjectName|contains: - \SetupExecute - \S0InitialCommand - \KnownDlls @@ -49,9 +49,9 @@ detection: - \BootExecute - \AppCertDlls current_version_base: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion current_version: - TargetObject|contains: + ObjectName|contains: - \ShellServiceObjectDelayLoad - \Run - \Policies\System\Shell @@ -69,9 +69,9 @@ detection: - \Authentication\Credential Providers - \Authentication\Credential Provider Filters nt_current_version_base: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion nt_current_version: - TargetObject|contains: + ObjectName|contains: - \Winlogon\VmApplet - \Winlogon\Userinit - \Winlogon\Taskman @@ -87,9 +87,9 @@ detection: - \Windows\Run - \Windows\Load wow_current_version_base: - TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion wow_current_version: - TargetObject|contains: + ObjectName|contains: - \ShellServiceObjectDelayLoad - \Run - \Explorer\ShellServiceObjects @@ -98,18 +98,18 @@ detection: - \Explorer\SharedTaskScheduler - \Explorer\Browser Helper Objects wow_nt_current_version_base: - TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion wow_nt_current_version: - TargetObject|contains: + ObjectName|contains: - \Windows\Appinit_Dlls - \Image File Execution Options - \Drivers32 wow_office: - TargetObject|contains: \Software\Wow6432Node\Microsoft\Office + ObjectName|contains: \Software\Wow6432Node\Microsoft\Office office: - TargetObject|contains: \Software\Microsoft\Office + ObjectName|contains: \Software\Microsoft\Office wow_office_details: - TargetObject|contains: + ObjectName|contains: - \Word\Addins - \PowerPoint\Addins - \Outlook\Addins @@ -118,18 +118,18 @@ detection: - \Access\Addins - test\Special\Perf wow_ie: - TargetObject|contains: \Software\Wow6432Node\Microsoft\Internet Explorer + ObjectName|contains: \Software\Wow6432Node\Microsoft\Internet Explorer ie: - TargetObject|contains: \Software\Microsoft\Internet Explorer + ObjectName|contains: \Software\Microsoft\Internet Explorer wow_ie_details: - TargetObject|contains: + ObjectName|contains: - \Toolbar - \Extensions - \Explorer Bars wow_classes_base: - TargetObject|contains: \Software\Wow6432Node\Classes + ObjectName|contains: \Software\Wow6432Node\Classes wow_classes: - TargetObject|contains: + ObjectName|contains: - \Folder\ShellEx\ExtShellFolderViews - \Folder\ShellEx\DragDropHandlers - \Folder\ShellEx\ColumnHandlers @@ -143,9 +143,9 @@ detection: - \ShellEx\PropertySheetHandlers - \ShellEx\ContextMenuHandlers classes_base: - TargetObject|contains: \Software\Classes + ObjectName|contains: \Software\Classes classes: - TargetObject|contains: + ObjectName|contains: - \Folder\ShellEx\ExtShellFolderViews - \Folder\ShellEx\DragDropHandlers - \Folder\Shellex\ColumnHandlers @@ -163,23 +163,23 @@ detection: - \ShellEx\PropertySheetHandlers - \ShellEx\ContextMenuHandlers scripts_base: - TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts + ObjectName|contains: \Software\Policies\Microsoft\Windows\System\Scripts scripts: - TargetObject|contains: + ObjectName|contains: - \Startup - \Shutdown - \Logon - \Logoff winsock_parameters_base: - TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters + ObjectName|contains: \System\CurrentControlSet\Services\WinSock2\Parameters winsock_parameters: - TargetObject|contains: + ObjectName|contains: - \Protocol_Catalog9\Catalog_Entries - \NameSpace_Catalog5\Catalog_Entries system_control_base: - TargetObject|contains: \SYSTEM\CurrentControlSet\Control + ObjectName|contains: \SYSTEM\CurrentControlSet\Control system_control: - TargetObject|contains: + ObjectName|contains: - \Terminal Server\WinStations\RDP-Tcp\InitialProgram - \Terminal Server\Wds\rdpwd\StartupPrograms - \SecurityProviders\SecurityProviders @@ -191,9 +191,9 @@ detection: - \Lsa\Authentication Packages - \BootVerificationProgram\ImagePath filter: - - Details: (Empty) - - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount - - Image: C:\WINDOWS\System32\svchost.exe + - NewValue: (Empty) + - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount + - ProcessName: C:\WINDOWS\System32\svchost.exe condition: registry_event and (( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or wow_current_version_base and wow_current_version or diff --git a/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml b/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml index fdea62d0b..9319a2035 100644 --- a/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -29,8 +29,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ - Details|endswith: + ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ + NewValue|endswith: - .sh - .exe - .dll @@ -46,10 +46,10 @@ detection: - .vbs condition: registry_set and selection fields: + - ObjectName + - NewValue - EventID - CommandLine - - TargetObject - - Details falsepositives: - Unknown level: high diff --git a/sigma/builtin/deprecated/registry_set_add_hidden_user.yml b/sigma/builtin/deprecated/registry_set_add_hidden_user.yml index 962ccbfe9..357655b1f 100644 --- a/sigma/builtin/deprecated/registry_set_add_hidden_user.yml +++ b/sigma/builtin/deprecated/registry_set_add_hidden_user.yml @@ -19,9 +19,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\ - TargetObject|endswith: $ - Details: DWORD (0x00000000) + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\ + ObjectName|endswith: $ + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml b/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml index 3066db8d6..0431ea3be 100644 --- a/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml +++ b/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml @@ -21,13 +21,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Office\ - TargetObject|endswith: + ObjectName|contains: \SOFTWARE\Microsoft\Office\ + ObjectName|endswith: - VBAWarnings - DisableInternetFilesInPV - DisableUnsafeLocationsInPV - DisableAttachementsInPV - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/registry_set_office_security.yml b/sigma/builtin/deprecated/registry_set_office_security.yml index 307e8e5a6..5996d751f 100644 --- a/sigma/builtin/deprecated/registry_set_office_security.yml +++ b/sigma/builtin/deprecated/registry_set_office_security.yml @@ -21,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - \Security\Trusted Documents\TrustRecords - \Security\AccessVBOM - \Security\VBAWarnings diff --git a/sigma/builtin/deprecated/registry_set_silentprocessexit.yml b/sigma/builtin/deprecated/registry_set_silentprocessexit.yml index 612f65dec..c24a60258 100644 --- a/sigma/builtin/deprecated/registry_set_silentprocessexit.yml +++ b/sigma/builtin/deprecated/registry_set_silentprocessexit.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit - Details|contains: MonitorProcess + ObjectName|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit + NewValue|contains: MonitorProcess condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 1a674bb90..c3c138c58 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -24,11 +24,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default) - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default) filter: - Details|endswith: + NewValue|endswith: - system32\wbem\wmiutils.dll - system32\wbem\wbemsvc.dll condition: registry_set and (selection and not filter) diff --git a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index 2a7f98ac5..45c58bb6c 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection_path: - TargetObject|contains: \Microsoft\Windows\CurrentVersion\Run\ + ObjectName|contains: \Microsoft\Windows\CurrentVersion\Run\ selection_value: - - TargetObject|contains: Microsift - - Details|contains: .exe Platypus + - ObjectName|contains: Microsift + - NewValue|contains: .exe Platypus condition: registry_set and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 1aa201267..815f9dc97 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -23,10 +23,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Office\ - \Outlook\ - TargetObject|contains: + ObjectName|contains: - \Tasks\ - \Notes\ condition: registry_set and selection diff --git a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 3d77de98f..3d9d4a9cf 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21- - \ProfileImagePath - Details|contains: + NewValue|contains: - ANONYMOUS - _DomainUser_ condition: registry_set and selection diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index eae90c317..7ecdc532a 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -18,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: SECURITY\Policy\Secrets\n + ObjectName|endswith: SECURITY\Policy\Secrets\n condition: registry_event and selection level: high ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index 908d557b1..4a09b45da 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\ + ObjectName|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\ filter_main_wav: - - TargetObject|endswith: .AssocFile.WAV - - TargetObject|contains: .wav. + - ObjectName|endswith: .AssocFile.WAV + - ObjectName|contains: .wav. condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Some additional tuning might be required to tune out legitimate processes that diff --git a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index b4f1cf046..5de37b18e 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -21,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ - Windows TeamCity Settings User Interface condition: registry_event and selection diff --git a/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml b/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml index 894768104..50789947c 100644 --- a/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml +++ b/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml @@ -22,8 +22,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: \software\NetWire + OperationType: '%%1904' + ObjectName|contains: \software\NetWire condition: registry_add and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml b/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml index 7286bafbf..141fc1074 100644 --- a/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml +++ b/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: \Software\AppDataLow\Software\Microsoft\ + OperationType: '%%1904' + ObjectName|contains: \Software\AppDataLow\Software\Microsoft\ filter: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\ - \SOFTWARE\AppDataLow\Software\Microsoft\RepService\ - \SOFTWARE\AppDataLow\Software\Microsoft\IME\ diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml index 4e05ab828..f3ca3e4e1 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -19,12 +19,12 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: + OperationType: '%%1904' + ObjectName|contains: - \SOFTWARE\Microsoft\AMSI\Providers\ - \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\ filter: - Image|startswith: + ProcessName|startswith: - C:\Windows\System32\ - C:\Program Files\ - C:\Program Files (x86)\ diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml index 64f855a47..ecfb6e818 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -18,13 +18,13 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains|all: - - HKU\ + OperationType: '%%1904' + ObjectName|contains|all: + - \REGISTRY\USER\ - Classes\CLSID\ - \TreatAs filter_svchost: - Image: C:\WINDOWS\system32\svchost.exe + ProcessName: C:\WINDOWS\system32\svchost.exe condition: registry_add and (selection and not 1 of filter_*) falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 0856d0997..d59081829 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -27,10 +27,10 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ + OperationType: '%%1904' + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ filter: - TargetObject|endswith: + ObjectName|endswith: - \Active Setup Temp Folders - \BranchCache - \Content Indexer Cleaner diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index d20595aee..060698ac6 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: UserInitMprLogonScript + OperationType: '%%1904' + ObjectName|contains: UserInitMprLogonScript condition: registry_add and selection falsepositives: - Investigate the contents of the "UserInitMprLogonScript" value to determine diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 1db7b62b3..0e8f9d9e5 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|endswith: \EulaAccepted + OperationType: '%%1904' + ObjectName|endswith: \EulaAccepted condition: registry_add and selection falsepositives: - Legitimate use of SysInternals tools diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 26da7b633..35d1af06a 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -25,8 +25,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: + OperationType: '%%1904' + ObjectName|contains: - \Active Directory Explorer - \Handle - \LiveKd @@ -39,9 +39,9 @@ detection: - \PsPing - \PsService - \SDelete - TargetObject|endswith: \EulaAccepted + ObjectName|endswith: \EulaAccepted filter: - Image|endswith: + ProcessName|endswith: - \ADExplorer.exe - \ADExplorer64.exe - \handle.exe diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index a21c19302..bda9d2b1b 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -25,8 +25,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: CreateKey - TargetObject|contains: + OperationType: '%%1904' + ObjectName|contains: - \Active Directory Explorer - \Handle - \LiveKd @@ -37,7 +37,7 @@ detection: - \PsPasswd - \SDelete - \Sysinternals - TargetObject|endswith: \EulaAccepted + ObjectName|endswith: \EulaAccepted condition: registry_add and selection falsepositives: - Legitimate use of SysInternals tools. Filter the legitimate paths used in your diff --git a/sigma/builtin/registry/registry_event/registry_event_add_local_hidden_user.yml b/sigma/builtin/registry/registry_event/registry_event_add_local_hidden_user.yml index 6c27fcb47..35b7135cf 100644 --- a/sigma/builtin/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/sigma/builtin/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -18,9 +18,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SAM\SAM\Domains\Account\Users\Names\ - TargetObject|endswith: $ - Image|endswith: \lsass.exe + ObjectName|contains: \SAM\SAM\Domains\Account\Users\Names\ + ObjectName|endswith: $ + ProcessName|endswith: \lsass.exe condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_apt_leviathan.yml b/sigma/builtin/registry/registry_event/registry_event_apt_leviathan.yml index b12af23a1..3544e79ac 100644 --- a/sigma/builtin/registry/registry_event/registry_event_apt_leviathan.yml +++ b/sigma/builtin/registry/registry_event/registry_event_apt_leviathan.yml @@ -18,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Run\ntkd + ObjectName|contains: \Software\Microsoft\Windows\CurrentVersion\Run\ntkd condition: registry_event and selection level: critical ruletype: Sigma diff --git a/sigma/builtin/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/sigma/builtin/registry/registry_event/registry_event_apt_oceanlotus_registry.yml index d72f2d180..1fa804716 100644 --- a/sigma/builtin/registry/registry_event/registry_event_apt_oceanlotus_registry.yml +++ b/sigma/builtin/registry/registry_event/registry_event_apt_oceanlotus_registry.yml @@ -19,21 +19,21 @@ detection: EventID: 4657 Channel: Security selection_clsid: - TargetObject|contains: \SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model + ObjectName|contains: \SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model selection_hkcu: - TargetObject|contains: + ObjectName|contains: - Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - Classes\AppX3bbba44c6cae4d9695755183472171e2\ - Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model selection_appx_1: - TargetObject|contains: \SOFTWARE\App\ + ObjectName|contains: \SOFTWARE\App\ selection_appx_2: - TargetObject|contains: + ObjectName|contains: - AppXbf13d4ea2945444d8b13e2121cb6b663\ - AppX70162486c7554f7f80f481985d67586d\ - AppX37cc7fdccd644b4f85f4b22d5a3f105a\ - TargetObject|endswith: + ObjectName|endswith: - Application - DefaultIcon condition: registry_event and (selection_clsid or selection_hkcu or all of selection_appx_*) diff --git a/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml b/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml index 7966c6ae9..e042cfe1e 100644 --- a/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml +++ b/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml @@ -34,7 +34,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\UMe - SOFTWARE\Microsoft\Windows\CurrentVersion\UT condition: registry_event and selection diff --git a/sigma/builtin/registry/registry_event/registry_event_apt_pandemic.yml b/sigma/builtin/registry/registry_event/registry_event_apt_pandemic.yml index 48eaef09a..3026bdb34 100644 --- a/sigma/builtin/registry/registry_event/registry_event_apt_pandemic.yml +++ b/sigma/builtin/registry/registry_event/registry_event_apt_pandemic.yml @@ -19,15 +19,15 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SYSTEM\CurrentControlSet\services\null\Instance + ObjectName|contains: \SYSTEM\CurrentControlSet\services\null\Instance condition: registry_event and selection fields: + - ProcessName + - SubjectUserName + - ObjectName - EventID - CommandLine - ParentCommandLine - - Image - - User - - TargetObject falsepositives: - Unknown level: critical diff --git a/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml b/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml index 8b49e2463..b16177704 100644 --- a/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -22,13 +22,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command + ObjectName|endswith: \AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command condition: registry_event and selection fields: + - ProcessName + - OperationType + - ObjectName - ComputerName - - Image - - EventType - - TargetObject falsepositives: - Unknown level: high diff --git a/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 6dc6b64ad..a2629b922 100644 --- a/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -22,12 +22,12 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \cmmgr32.exe + ObjectName|contains: \cmmgr32.exe condition: registry_event and selection fields: + - NewValue - CommandLine - ParentCommandLine - - Details falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high diff --git a/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index af546f645..b9247639b 100644 --- a/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -20,14 +20,14 @@ detection: EventID: 4657 Channel: Security selection: - - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt - EventType: CreateKey + - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt + OperationType: '%%1904' - NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt condition: registry_event and selection fields: + - ProcessName + - ObjectName - EventID - - Image - - TargetObject - NewName falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 96c35a2d4..e1e5803d2 100644 --- a/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -26,7 +26,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \IsCredGuardEnabled + ObjectName|endswith: \IsCredGuardEnabled condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 05a25d55d..742106968 100644 --- a/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: System\CurrentControlSet\Services\VSS - Image|endswith: esentutl.exe + ObjectName|contains: System\CurrentControlSet\Services\VSS + ProcessName|endswith: esentutl.exe filter: - TargetObject|contains: System\CurrentControlSet\Services\VSS\Start + ObjectName|contains: System\CurrentControlSet\Services\VSS\Start condition: registry_event and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_hack_wce_reg.yml b/sigma/builtin/registry/registry_event/registry_event_hack_wce_reg.yml index b8108bfe8..c0bb20497 100644 --- a/sigma/builtin/registry/registry_event/registry_event_hack_wce_reg.yml +++ b/sigma/builtin/registry/registry_event/registry_event_hack_wce_reg.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Services\WCESERVICE\Start + ObjectName|contains: Services\WCESERVICE\Start condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index b1ca93c51..3b02eb832 100644 --- a/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection1: - TargetObject|contains: \Services\HybridConnectionManager + ObjectName|contains: \Services\HybridConnectionManager selection2: - EventType: SetValue - Details|contains: Microsoft.HybridConnectionManager.Listener.exe + OperationType: '%%1905' + NewValue|contains: Microsoft.HybridConnectionManager.Listener.exe condition: registry_event and (selection1 or selection2) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_mal_azorult.yml b/sigma/builtin/registry/registry_event/registry_event_mal_azorult.yml index 78cd563f3..feb5bb69c 100644 --- a/sigma/builtin/registry/registry_event/registry_event_mal_azorult.yml +++ b/sigma/builtin/registry/registry_event/registry_event_mal_azorult.yml @@ -21,12 +21,12 @@ detection: EventID: - 12 - 13 - TargetObject|contains: SYSTEM\ - TargetObject|endswith: \services\localNETService + ObjectName|contains: SYSTEM\ + ObjectName|endswith: \services\localNETService condition: registry_event and selection fields: - - Image - - TargetObject + - ProcessName + - ObjectName - TargetDetails falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml b/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml index 35dfcd4c8..46c39932f 100644 --- a/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml @@ -18,11 +18,11 @@ detection: EventID: 4657 Channel: Security selection: - - TargetObject: - - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} - - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} - - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} - - TargetObject|startswith: HKLM\SYSTEM\Setup\PrintResponsor\ + - ObjectName: + - \REGISTRY\MACHINE\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} + - \REGISTRY\MACHINE\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} + - \REGISTRY\MACHINE\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} + - ObjectName|startswith: \REGISTRY\MACHINE\SYSTEM\Setup\PrintResponsor\ condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml b/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml index a023286d6..3583ba2a4 100644 --- a/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -18,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Software\firm\soft\Name + ObjectName|endswith: \Software\firm\soft\Name condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml index babec9443..938138593 100644 --- a/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -25,19 +25,19 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\ - \Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz selection_alt: - TargetObject|contains|all: + ObjectName|contains|all: - legitprinter - \Control\Print\Environments\Windows selection_print: - TargetObject|contains: + ObjectName|contains: - \Control\Print\Environments - \CurrentVersion\Print\Printers selection_kiwi: - TargetObject|contains: + ObjectName|contains: - Gentil Kiwi - mimikatz printer - Kiwi Legit Printer diff --git a/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index 003d59712..da623649f 100644 --- a/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Control Panel\Desktop\SCRNSAVE.EXE + ObjectName|endswith: \Control Panel\Desktop\SCRNSAVE.EXE filter: - Image|endswith: + ProcessName|endswith: - \rundll32.exe - \explorer.exe condition: registry_event and (selection and not filter) diff --git a/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml index 2083f0afa..cdced3934 100644 --- a/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -18,10 +18,10 @@ detection: EventID: 4657 Channel: Security selection1: - EventType: DeleteValue - TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute + OperationType: '%%1906' + ObjectName|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute selection2: - TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default) + ObjectName|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default) condition: registry_event and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 93c784903..ab8ba04e0 100644 --- a/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/sigma/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - SYSTEM\ - ControlSet - \Control\Lsa - TargetObject|endswith: + ObjectName|endswith: - \lmcompatibilitylevel - \NtlmMinClientSec - \RestrictSendingNTLMTraffic diff --git a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 956959154..283da84fd 100644 --- a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -25,13 +25,14 @@ detection: EventID: 4657 Channel: Security selection: - - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls + - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session + Manager\AppCertDlls - NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls condition: registry_event and selection fields: + - ProcessName + - ObjectName - EventID - - Image - - TargetObject - NewName falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 0bcc40ab8..65ab8fd42 100644 --- a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -20,14 +20,14 @@ detection: EventID: 4657 Channel: Security selection: - - TargetObject|endswith: + - ObjectName|endswith: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - NewName|endswith: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls filter: - Details: (Empty) + NewValue: (Empty) condition: registry_event and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml b/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml index 6cee3b29f..61d7602fc 100644 --- a/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml +++ b/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Software\Microsoft\Office test\Special\Perf + ObjectName|contains: \Software\Microsoft\Office test\Special\Perf condition: registry_event and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml b/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml index 6922a000a..9b1cdfd6a 100644 --- a/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml +++ b/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -24,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Security\Trusted Documents\TrustRecords + ObjectName|contains: \Security\Trusted Documents\TrustRecords condition: registry_event and selection falsepositives: - This will alert on legitimate macro usage as well, additional tuning is required diff --git a/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml b/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml index a52891df7..25516ed25 100644 --- a/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -20,11 +20,11 @@ detection: EventID: 4657 Channel: Security selection_create: - EventType: RenameKey NewName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + OperationType: '%%1905' selection_set: - EventType: SetValue - TargetObject|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + OperationType: '%%1905' + ObjectName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) condition: registry_event and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml index 4612d0050..a4a75875f 100644 --- a/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -23,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection_registry: - TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp + ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp condition: registry_event and selection_registry falsepositives: - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) diff --git a/sigma/builtin/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/sigma/builtin/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index 3d3343f36..f9dfe17c5 100644 --- a/sigma/builtin/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/sigma/builtin/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -18,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data + ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\HTMLHelp\data condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml b/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml index ff44f20b3..99810a347 100644 --- a/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml +++ b/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml @@ -19,14 +19,14 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup + ObjectName|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr condition: registry_event and selection fields: + - ProcessName + - OperationType + - ObjectName - ComputerName - - Image - - EventType - - TargetObject falsepositives: - Unknown level: high diff --git a/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml b/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml index e88e9cc67..bed25173c 100644 --- a/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml +++ b/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml @@ -20,17 +20,18 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components - TargetObject|endswith: \StubPath + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed + Components + ObjectName|endswith: \StubPath filter_chrome: - Details|startswith: '"C:\Program Files\Google\Chrome\Application\' - Details|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging + NewValue|startswith: '"C:\Program Files\Google\Chrome\Application\' + NewValue|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level filter_edge: - Details|startswith: + NewValue|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' - '"C:\Program Files\Microsoft\Edge\Application\' - Details|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging + NewValue|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable condition: registry_event and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index 1c0f0a87e..28d147641 100644 --- a/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -25,18 +25,18 @@ detection: EventID: 4657 Channel: Security selection1: - EventType: SetValue - TargetObject|endswith: Classes\ms-settings\shell\open\command\SymbolicLinkValue - Details|contains: \Software\Classes\{ + OperationType: '%%1905' + ObjectName|endswith: Classes\ms-settings\shell\open\command\SymbolicLinkValue + NewValue|contains: \Software\Classes\{ selection2: - TargetObject|endswith: Classes\ms-settings\shell\open\command\DelegateExecute + ObjectName|endswith: Classes\ms-settings\shell\open\command\DelegateExecute selection3: - EventType: SetValue - TargetObject|endswith: + OperationType: '%%1905' + ObjectName|endswith: - Classes\ms-settings\shell\open\command\(Default) - Classes\exefile\shell\open\command\(Default) filter_sel3: - Details: (Empty) + NewValue: (Empty) condition: registry_event and (selection1 or selection2 or (selection3 and not filter_sel3)) falsepositives: diff --git a/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 3e0b67197..8731ad430 100644 --- a/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -23,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe + ObjectName|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe condition: registry_event and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml index ff8085c7d..913c7770d 100644 --- a/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -19,11 +19,12 @@ detection: EventID: 4657 Channel: Security selection_registry: - TargetObject: - - HKLM\System\CurrentControlSet\Control\Lsa\Security Packages - - HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages + ObjectName: + - \REGISTRY\MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages + - \REGISTRY\MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig\Security + Packages exclusion_images: - Image: + ProcessName: - C:\Windows\system32\msiexec.exe - C:\Windows\syswow64\MsiExec.exe condition: registry_event and (selection_registry and not exclusion_images) diff --git a/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 76f0b96c7..b4451d1b6 100644 --- a/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -24,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection_registry: - TargetObject|endswith: + ObjectName|endswith: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml b/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml index e5956916f..560f20432 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -22,16 +22,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs - Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration filter_atbroker: - Image: C:\Windows\system32\atbroker.exe - TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration - Details: (Empty) + ProcessName: C:\Windows\system32\atbroker.exe + ObjectName|contains: \Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration + NewValue: (Empty) filter_uninstallers: - Image|startswith: C:\Windows\Installer\MSI - TargetObject|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs + ProcessName|startswith: C:\Windows\Installer\MSI + ObjectName|contains: Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs condition: registry_event and (selection and not 1 of filter_*) falsepositives: - Creation of non-default, legitimate at usage diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml b/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml index 8de05c0de..23424d31b 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection: - Image|contains: + ProcessName|contains: - \Downloads\ - \Temporary Internet Files\Content.Outlook\ - \Local Settings\Temporary Internet Files\ - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ condition: registry_event and selection falsepositives: - Software installers downloaded and used by users diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml index a98ecccee..a70356ed6 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -21,12 +21,12 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt - \CurrentControlSet\Services\NTDS\LsaDbExtPt filter_domain_controller: - Image: C:\Windows\system32\lsass.exe - Details: + ProcessName: C:\Windows\system32\lsass.exe + NewValue: - '%%systemroot%%\system32\ntdsa.dll' - '%%systemroot%%\system32\lsadb.dll' condition: registry_event and (selection and not 1 of filter_*) diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml b/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml index 59355abb6..6cfff1bed 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml @@ -20,15 +20,15 @@ detection: EventID: 4657 Channel: Security selection_1: - TargetObject|contains|all: + ObjectName|contains|all: - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ - \NonPackaged selection_2: - TargetObject|contains: + ObjectName|contains: - microphone - webcam selection_3: - TargetObject|contains: + ObjectName|contains: - :#Windows#Temp# - :#$Recycle.bin# - :#Temp# diff --git a/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml b/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml index 8fa6f5c40..81c515e03 100644 --- a/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Microsoft\WBEM\CIMOM\AllowAnonymousCallback - Details: DWORD (0x00000001) + ObjectName|contains: \Microsoft\WBEM\CIMOM\AllowAnonymousCallback + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Administrative activity diff --git a/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 38dd204e7..8d2dc83c7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -20,16 +20,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: - - HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ - - HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ - TargetObject|endswith: \(Default) - Details: Service + ObjectName|startswith: + - \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ + - \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ + ObjectName|endswith: \(Default) + NewValue: Service filter_sophos: - Image: C:\WINDOWS\system32\msiexec.exe - TargetObject: - - HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SAVService\(Default) - - HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SAVService\(Default) + ProcessName: C:\WINDOWS\system32\msiexec.exe + ObjectName: + - \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\SAVService\(Default) + - \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\SAVService\(Default) condition: registry_set and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml b/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml index bb3537e0a..34c7da23a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml +++ b/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml @@ -24,20 +24,20 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\System\CurrentControlSet\Control\Print\Monitors\ - Details|endswith: .dll + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Control\Print\Monitors\ + NewValue|endswith: .dll filter_cutepdf: - Image: C:\Windows\System32\spoolsv.exe - TargetObject|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF + ProcessName: C:\Windows\System32\spoolsv.exe + ObjectName|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver - Details: cpwmon64_v40.dll - User|contains: + NewValue: cpwmon64_v40.dll + SubjectUserName|contains: - AUTHORI - AUTORI filter_leg1: - TargetObject|contains: Control\Print\Monitors\MONVNC\Driver + ObjectName|contains: Control\Print\Monitors\MONVNC\Driver filter_leg2: - TargetObject|contains|all: + ObjectName|contains|all: - Control\Print\Environments\ - \Drivers\ - \VNC Printer diff --git a/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml index 8bae26c9f..ac5ad54db 100644 --- a/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger - Details|endswith: .dll + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger + NewValue|endswith: .dll filter: - Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p' + NewValue: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p' condition: registry_set and (selection and not filter) falsepositives: - Legitimate use of the key to setup a debugger. Which is often the case on developers diff --git a/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index e973b41d8..5305a02b8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp - Details: DWORD (0x00000001) + ObjectName|endswith: System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Legitimate use of the feature (alerts should be investigated either way) diff --git a/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml b/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml index e8ff3900b..326b7a50d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -23,9 +23,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default) + ObjectName|endswith: \CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default) filter: - Details: '%windir%\system32\amsi.dll' + NewValue: '%windir%\system32\amsi.dll' condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 4b527d33e..09cb1c34f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -24,9 +24,9 @@ detection: EventID: 4657 Channel: Security selection_classes_base: - TargetObject|contains: \Software\Classes + ObjectName|contains: \Software\Classes selection_classes_target: - TargetObject|contains: + ObjectName|contains: - \Folder\ShellEx\ExtShellFolderViews - \Folder\ShellEx\DragDropHandlers - \Folder\Shellex\ColumnHandlers @@ -44,14 +44,14 @@ detection: - \ShellEx\PropertySheetHandlers - \ShellEx\ContextMenuHandlers filter_empty: - Details: (Empty) + NewValue: (Empty) filter_msoffice: - Details: '{807583E5-5146-11D5-A672-00B0D022E945}' + NewValue: '{807583E5-5146-11D5-A672-00B0D022E945}' filter_drivers: - Image: C:\Windows\System32\drvinst.exe + ProcessName: C:\Windows\System32\drvinst.exe filter_svchost: - Image: C:\Windows\System32\svchost.exe - TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\ + ProcessName: C:\Windows\System32\svchost.exe + ObjectName|contains: \lnkfile\shellex\ContextMenuHandlers\ condition: registry_set and (all of selection_* and not 1 of filter_*) fields: - SecurityID diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index ff8d3cf45..032e80d5a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -25,7 +25,7 @@ detection: EventID: 4657 Channel: Security main_selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart - \Software\Wow6432Node\Microsoft\Command Processor\Autorun - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components @@ -45,32 +45,32 @@ detection: - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32 - \Control Panel\Desktop\Scrnsave.exe filter_empty: - Details: (Empty) + NewValue: (Empty) filter_msoffice: - - TargetObject|contains: + - ObjectName|contains: - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\ - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\ - - Details: + - NewValue: - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - '{42089D2D-912D-4018-9087-2B87803E93FB}' - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: - TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} + ObjectName|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} filter_edge: - TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} + ObjectName|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} filter_IE: - TargetObject|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} + ObjectName|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} filter_image: - Image: + ProcessName: - C:\Windows\System32\poqexec.exe - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_office: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe condition: registry_set and (main_selection and not 1 of filter_*) falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index c8c135121..fbe8af98f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -24,9 +24,9 @@ detection: EventID: 4657 Channel: Security system_control_base: - TargetObject|contains: \SYSTEM\CurrentControlSet\Control + ObjectName|contains: \SYSTEM\CurrentControlSet\Control system_control_keys: - TargetObject|contains: + ObjectName|contains: - \Terminal Server\WinStations\RDP-Tcp\InitialProgram - \Terminal Server\Wds\rdpwd\StartupPrograms - \SecurityProviders\SecurityProviders @@ -38,26 +38,26 @@ detection: - \Lsa\Authentication Packages - \BootVerificationProgram\ImagePath filter_empty: - Details: (Empty) + NewValue: (Empty) filter_cutepdf: - Image: C:\Windows\System32\spoolsv.exe - TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor - Details: + ProcessName: C:\Windows\System32\spoolsv.exe + ObjectName|contains: \Print\Monitors\CutePDF Writer Monitor + NewValue: - cpwmon64_v40.dll - CutePDF Writer filter_onenote: - Image: C:\Windows\System32\spoolsv.exe - TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_ - User|contains: + ProcessName: C:\Windows\System32\spoolsv.exe + ObjectName|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_ + SubjectUserName|contains: - AUTHORI - AUTORI filter_poqexec: - Image: C:\Windows\System32\poqexec.exe - TargetObject|endswith: \NetworkProvider\Order\ProviderOrder + ProcessName: C:\Windows\System32\poqexec.exe + ObjectName|endswith: \NetworkProvider\Order\ProviderOrder filter_realvnc: - Image: C:\Windows\System32\spoolsv.exe - TargetObject|endswith: \Print\Monitors\MONVNC\Driver - Details: VNCpm.dll + ProcessName: C:\Windows\System32\spoolsv.exe + ObjectName|endswith: \Print\Monitors\MONVNC\Driver + NewValue: VNCpm.dll condition: registry_set and (all of system_control_* and not 1 of filter_*) fields: - SecurityID diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index c285adaab..c89586140 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -25,9 +25,9 @@ detection: EventID: 4657 Channel: Security current_version_base: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion current_version_keys: - TargetObject|contains: + ObjectName|contains: - \ShellServiceObjectDelayLoad - \Run\ - \RunOnce\ @@ -49,13 +49,13 @@ detection: - \Authentication\Credential Providers - \Authentication\Credential Provider Filters filter_all: - - Details: (Empty) - - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount - - Image|endswith: + - NewValue: (Empty) + - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount + - ProcessName|endswith: - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - \AppData\Roaming\Spotify\Spotify.exe - \AppData\Local\WebEx\WebexHost.exe - - Image: + - ProcessName: - C:\WINDOWS\system32\devicecensus.exe - C:\Windows\system32\winsat.exe - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe @@ -65,84 +65,84 @@ detection: - C:\Program Files\Everything\Everything.exe - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_logonui: - Image: C:\Windows\system32\LogonUI.exe - TargetObject|contains: + ProcessName: C:\Windows\system32\LogonUI.exe + ObjectName|contains: - \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\ - \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\ - \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\ - \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\ filter_edge: - Image|startswith: + ProcessName|startswith: - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\ - C:\Program Files (x86)\Microsoft\EdgeWebView\ - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe filter_dropbox: - Image: C:\Windows\system32\regsvr32.exe - TargetObject|contains: DropboxExt - Details|endswith: A251-47B7-93E1-CDD82E34AF8B} + ProcessName: C:\Windows\system32\regsvr32.exe + ObjectName|contains: DropboxExt + NewValue|endswith: A251-47B7-93E1-CDD82E34AF8B} filter_opera: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant - Details: C:\Program Files\Opera\assistant\browser_assistant.exe + NewValue: C:\Program Files\Opera\assistant\browser_assistant.exe filter_itunes: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper - Details: '"C:\Program Files\iTunes\iTunesHelper.exe"' + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper + NewValue: '"C:\Program Files\iTunes\iTunesHelper.exe"' filter_zoom: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair - Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair' + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair + NewValue: '"C:\Program Files\Zoom\bin\installer.exe" /repair' filter_greenshot: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot - Details: C:\Program Files\Greenshot\Greenshot.exe + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot + NewValue: C:\Program Files\Greenshot\Greenshot.exe filter_googledrive1: - TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS - Details|startswith: C:\Program Files\Google\Drive File Stream\ - Details|contains: \GoogleDriveFS.exe + ObjectName|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS + NewValue|startswith: C:\Program Files\Google\Drive File Stream\ + NewValue|contains: \GoogleDriveFS.exe filter_googledrive2: - TargetObject|contains: GoogleDrive - Details: + ObjectName|contains: GoogleDrive + NewValue: - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}' - '{A8E52322-8734-481D-A7E2-27B309EF8D56}' - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}' - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}' filter_onedrive: - Details|startswith: + NewValue|startswith: - C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\ - C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ - Details|contains: \AppData\Local\Microsoft\OneDrive\ + NewValue|contains: \AppData\Local\Microsoft\OneDrive\ filter_python: - TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{ - Details|contains|all: + ObjectName|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{ + NewValue|contains|all: - \AppData\Local\Package Cache\{ - '}\python-' - Details|endswith: .exe" /burn.runonce + NewValue|endswith: .exe" /burn.runonce filter_officeclicktorun: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe filter_defender: - Image: C:\Program Files\Windows Defender\MsMpEng.exe + ProcessName: C:\Program Files\Windows Defender\MsMpEng.exe filter_teams: - Image|endswith: \Microsoft\Teams\current\Teams.exe - Details|contains: '\Microsoft\Teams\Update.exe --processStart ' + ProcessName|endswith: \Microsoft\Teams\current\Teams.exe + NewValue|contains: '\Microsoft\Teams\Update.exe --processStart ' filter_ctfmon: - Image: C:\Windows\system32\userinit.exe - Details: ctfmon.exe /n + ProcessName: C:\Windows\system32\userinit.exe + NewValue: ctfmon.exe /n filter_AVG: - Image|startswith: C:\Program Files\AVG\Antivirus\Setup\ - Details: + ProcessName|startswith: C:\Program Files\AVG\Antivirus\Setup\ + NewValue: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - '{472083B0-C522-11CF-8763-00608CC02F24}' filter_aurora_dashboard: - Image|endswith: + ProcessName|endswith: - \aurora-agent-64.exe - \aurora-agent.exe - TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard - Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe + ObjectName|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard + NewValue: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe filter_everything: - TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything - Details|endswith: \Everything\Everything.exe" -startup + ObjectName|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything + NewValue|endswith: \Everything\Everything.exe" -startup condition: registry_set and (all of current_version_* and not 1 of filter_*) falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 44fc72b7c..c4e676ac9 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -24,9 +24,9 @@ detection: EventID: 4657 Channel: Security nt_current_version_base: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion nt_current_version: - TargetObject|contains: + ObjectName|contains: - \Winlogon\VmApplet - \Winlogon\Userinit - \Winlogon\Taskman @@ -42,44 +42,44 @@ detection: - \Windows\Run - \Windows\Load filter_empty: - Details: (Empty) + NewValue: (Empty) filter_legitimate_subkey: - TargetObject|contains: \Image File Execution Options\ - TargetObject|endswith: + ObjectName|contains: \Image File Execution Options\ + ObjectName|endswith: - \DisableExceptionChainValidation - \MitigationOptions filter_edge: - Image|startswith: C:\Program Files (x86)\Microsoft\Temp\ - Image|endswith: \MicrosoftEdgeUpdate.exe + ProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\ + ProcessName|endswith: \MicrosoftEdgeUpdate.exe filter_msoffice: - - TargetObject|contains: - - \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ + - ObjectName|contains: + - \ClickToRunStore\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ - - Image: + - ProcessName: - C:\Program Files\Microsoft Office\root\integration\integrator.exe - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_officeclicktorun: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe filter_security_extension_dc: - Image: C:\Windows\system32\svchost.exe - TargetObject|contains: + ProcessName: C:\Windows\system32\svchost.exe + ObjectName|contains: - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval - Details: + NewValue: - DWORD (0x00000009) - DWORD (0x000003c0) filter_ngen: - Image|startswith: C:\Windows\Microsoft.NET\Framework - Image|endswith: \ngen.exe + ProcessName|startswith: C:\Windows\Microsoft.NET\Framework + ProcessName|endswith: \ngen.exe filter_onedrive: - Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe - TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached + ProcessName|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe + ObjectName|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary - Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ - Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" + NewValue|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ + NewValue|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" condition: registry_set and (nt_current_version_base and nt_current_version and not 1 of filter_*) fields: diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 1be3325b1..0955981cf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -24,24 +24,24 @@ detection: EventID: 4657 Channel: Security ie: - TargetObject|contains: + ObjectName|contains: - \Software\Wow6432Node\Microsoft\Internet Explorer - \Software\Microsoft\Internet Explorer ie_details: - TargetObject|contains: + ObjectName|contains: - \Toolbar - \Extensions - \Explorer Bars filter_empty: - Details: (Empty) + NewValue: (Empty) filter_extensions: - TargetObject|contains: + ObjectName|contains: - \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} - \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a} filter_toolbar: - TargetObject|endswith: + ObjectName|endswith: - \Toolbar\ShellBrowser\ITBar7Layout - \Toolbar\ShowDiscussionButton - \Toolbar\Locked diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 1bbe8509e..c0a60c7ee 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -24,11 +24,11 @@ detection: EventID: 4657 Channel: Security office: - TargetObject|contains: + ObjectName|contains: - \Software\Wow6432Node\Microsoft\Office - \Software\Microsoft\Office office_details: - TargetObject|contains: + ObjectName|contains: - \Word\Addins - \PowerPoint\Addins - \Outlook\Addins @@ -37,14 +37,14 @@ detection: - \Access\Addins - test\Special\Perf filter_empty: - Details: (Empty) + NewValue: (Empty) filter_known_addins: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Microsoft Office\ - C:\Program Files (x86)\Microsoft Office\ - C:\Windows\System32\msiexec.exe - C:\Windows\System32\regsvr32.exe - TargetObject|contains: + ObjectName|contains: - \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\ - \Excel\Addins\ExcelPlugInShell.PowerMapConnect\ - \Excel\Addins\NativeShim\ @@ -63,13 +63,13 @@ detection: - \Outlook\Addins\UCAddin.UCAddin.1 - \Outlook\Addins\UmOutlookAddin.FormRegionAddin\ filter_officeclicktorun: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe filter_avg: - Image: C:\Program Files\AVG\Antivirus\RegSvr.exe - TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\ + ProcessName: C:\Program Files\AVG\Antivirus\RegSvr.exe + ObjectName|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\ condition: registry_set and (office and office_details and not 1 of filter_*) fields: - SecurityID diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 99259fc88..ea834543f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -25,9 +25,9 @@ detection: EventID: 4657 Channel: Security session_manager_base: - TargetObject|contains: \System\CurrentControlSet\Control\Session Manager + ObjectName|contains: \System\CurrentControlSet\Control\Session Manager session_manager: - TargetObject|contains: + ObjectName|contains: - \SetupExecute - \S0InitialCommand - \KnownDlls @@ -35,7 +35,7 @@ detection: - \BootExecute - \AppCertDlls filter: - Details: (Empty) + NewValue: (Empty) condition: registry_set and (session_manager_base and session_manager and not filter) fields: diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 7674c61b7..ae6a2ee75 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -24,15 +24,15 @@ detection: EventID: 4657 Channel: Security scripts_base: - TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts + ObjectName|contains: \Software\Policies\Microsoft\Windows\System\Scripts scripts: - TargetObject|contains: + ObjectName|contains: - \Startup - \Shutdown - \Logon - \Logoff filter: - Details: (Empty) + NewValue: (Empty) condition: registry_set and (scripts_base and scripts and not filter) fields: - SecurityID diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 24a320273..1428fa66d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -24,15 +24,15 @@ detection: EventID: 4657 Channel: Security winsock_parameters_base: - TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters + ObjectName|contains: \System\CurrentControlSet\Services\WinSock2\Parameters winsock_parameters: - TargetObject|contains: + ObjectName|contains: - \Protocol_Catalog9\Catalog_Entries - \NameSpace_Catalog5\Catalog_Entries filter: - - Details: (Empty) - - Image: C:\Windows\System32\MsiExec.exe - - Image: C:\Windows\syswow64\MsiExec.exe + - NewValue: (Empty) + - ProcessName: C:\Windows\System32\MsiExec.exe + - ProcessName: C:\Windows\syswow64\MsiExec.exe condition: registry_set and (winsock_parameters_base and winsock_parameters and not filter) fields: diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 5b5a62548..b2f4a2826 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -25,9 +25,9 @@ detection: EventID: 4657 Channel: Security selection_wow_current_version_base: - TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion selection_wow_current_version_keys: - TargetObject|contains: + ObjectName|contains: - \ShellServiceObjectDelayLoad - \Run\ - \RunOnce\ @@ -40,60 +40,60 @@ detection: - \Explorer\SharedTaskScheduler - \Explorer\Browser Helper Objects filter_empty: - Details: (Empty) + NewValue: (Empty) filter_edge: - Image|contains|all: + ProcessName|contains|all: - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ - \setup.exe filter_msoffice1: - Image: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe - TargetObject|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ + ProcessName: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe + ObjectName|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ filter_msoffice2: - Image: + ProcessName: - C:\Program Files\Microsoft Office\root\integration\integrator.exe - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe - TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ + ObjectName|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ filter_dropbox: - - Details|endswith: -A251-47B7-93E1-CDD82E34AF8B} - - Details: grpconv -o - - Details|contains|all: + - NewValue|endswith: -A251-47B7-93E1-CDD82E34AF8B} + - NewValue: grpconv -o + - NewValue|contains|all: - C:\Program Files - \Dropbox\Client\Dropbox.exe - ' /systemstartup' filter_evernote: - TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer + ObjectName|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer filter_dotnet: - Image|contains: \windowsdesktop-runtime- - TargetObject|endswith: + ProcessName|contains: \windowsdesktop-runtime- + ObjectName|endswith: - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc} - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537} - Details|startswith: '"C:\ProgramData\Package Cache\' - Details|endswith: .exe" /burn.runonce + NewValue|startswith: '"C:\ProgramData\Package Cache\' + NewValue|endswith: .exe" /burn.runonce filter_office: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe filter_ms_win_desktop_runtime: - Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' + NewValue|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' filter_vcredist: - Image|endswith: \VC_redist.x64.exe - Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' + ProcessName|endswith: \VC_redist.x64.exe + NewValue|endswith: '}\VC_redist.x64.exe" /burn.runonce' filter_upgrades: - Image|startswith: + ProcessName|startswith: - C:\ProgramData\Package Cache - C:\Windows\Temp\ - Image|contains: + ProcessName|contains: - \winsdksetup.exe - \windowsdesktop-runtime- - \AspNetCoreSharedFrameworkBundle- - Details|endswith: ' /burn.runonce' + NewValue|endswith: ' /burn.runonce' filter_uninstallers: - Image|startswith: C:\Windows\Installer\MSI - TargetObject|contains: \Explorer\Browser Helper Objects + ProcessName|startswith: C:\Windows\Installer\MSI + ObjectName|contains: \Explorer\Browser Helper Objects filter_msiexec: - Image: C:\WINDOWS\system32\msiexec.exe - TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ + ProcessName: C:\WINDOWS\system32\msiexec.exe + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ condition: registry_set and (all of selection_wow_current_version_* and not 1 of filter_*) fields: diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index fd684673e..8c9440dc6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -24,9 +24,9 @@ detection: EventID: 4657 Channel: Security wow_classes_base: - TargetObject|contains: \Software\Wow6432Node\Classes + ObjectName|contains: \Software\Wow6432Node\Classes wow_classes: - TargetObject|contains: + ObjectName|contains: - \Folder\ShellEx\ExtShellFolderViews - \Folder\ShellEx\DragDropHandlers - \Folder\ShellEx\ColumnHandlers @@ -40,7 +40,7 @@ detection: - \ShellEx\PropertySheetHandlers - \ShellEx\ContextMenuHandlers filter: - Details: (Empty) + NewValue: (Empty) condition: registry_set and (wow_classes_base and wow_classes and not filter) fields: - SecurityID diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 83408319c..9f56b97bb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -24,14 +24,14 @@ detection: EventID: 4657 Channel: Security wow_nt_current_version_base: - TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion wow_nt_current_version: - TargetObject|contains: + ObjectName|contains: - \Windows\Appinit_Dlls - \Image File Execution Options - \Drivers32 filter: - Details: + NewValue: - (Empty) - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml index 3008049ea..796d9db38 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|endswith: \Software\Winternals\BGInfo\Database + OperationType: '%%1905' + ObjectName|endswith: \Software\Winternals\BGInfo\Database condition: registry_set and selection falsepositives: - Legitimate use of external DB to save the results diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 1e2591213..d08b11026 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|contains: \Software\Winternals\BGInfo\UserFields\ - Details|startswith: '4' + OperationType: '%%1905' + ObjectName|contains: \Software\Winternals\BGInfo\UserFields\ + NewValue|startswith: '4' condition: registry_set and selection falsepositives: - Legitimate VBScript diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 2dc4acc66..35f5b36cf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|contains: \Software\Winternals\BGInfo\UserFields\ - Details|startswith: '6' + OperationType: '%%1905' + ObjectName|contains: \Software\Winternals\BGInfo\UserFields\ + NewValue|startswith: '6' condition: registry_set and selection falsepositives: - Legitimate WMI query diff --git a/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml b/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml index e96e6fbe7..a30ba820b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -20,11 +20,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections - - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled - Details: DWORD (0x00000001) + ObjectName: + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections + - \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index 70678810d..24ef035d9 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -21,8 +21,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \open\command\DelegateExecute - Details: (Empty) + ObjectName|endswith: \open\command\DelegateExecute + NewValue: (Empty) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 3eb38e0a2..b33e6f806 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: _Classes\mscfile\shell\open\command\(Default) + ObjectName|endswith: _Classes\mscfile\shell\open\command\(Default) filter: - Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %' + NewValue|startswith: '%SystemRoot%\system32\mmc.exe "%1" %' condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 1562cc9cd..aecf40c6f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -22,8 +22,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Environment\windir - Details|contains: '&REM' + ObjectName|endswith: \Environment\windir + NewValue|contains: '&REM' condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml b/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml index f6f0643c9..16f1e155f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml @@ -26,9 +26,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber + ObjectName: \REGISTRY\MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber filter: - Details: DWORD (0x00000d3d) + NewValue: DWORD (0x00000d3d) condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml b/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml index d22fdfb0a..7e267407d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml @@ -22,10 +22,9 @@ detection: EventID: 4657 Channel: Security selection_domains: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet - Settings\ZoneMap\Domains\ + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ filter: - Details: + NewValue: - DWORD (0x00000000) - DWORD (0x00000001) - (Empty) diff --git a/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 96647b6a0..6a51289f6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -21,8 +21,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SYSTEM\CurrentControlSet\ - TargetObject|endswith: \Instances\Sysmon Instance\Altitude + ObjectName|startswith: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\ + ObjectName|endswith: \Instances\Sysmon Instance\Altitude condition: registry_set and selection falsepositives: - Legitimate driver altitude change to hide sysmon diff --git a/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml index f3dbf41af..f752568ad 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -21,16 +21,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ - TargetObject|endswith: \ChannelAccess - Details|contains: + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ + ObjectName|endswith: \ChannelAccess + NewValue|contains: - (A;;0x1;;;SY) - (A;;0x5;;;BA) - (A;;0x1;;;LA) filter_trustedinstaller: - Image: C:\Windows\servicing\TrustedInstaller.exe + ProcessName: C:\Windows\servicing\TrustedInstaller.exe filter_ti_worker: - Image|endswith: \TiWorker.exe + ProcessName|endswith: \TiWorker.exe condition: registry_set and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_chrome_extension.yml b/sigma/builtin/registry/registry_set/registry_set_chrome_extension.yml index 10c1f10a6..0fe642a4f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_chrome_extension.yml +++ b/sigma/builtin/registry/registry_set/registry_set_chrome_extension.yml @@ -18,10 +18,10 @@ detection: EventID: 4657 Channel: Security chrome_ext: - TargetObject|contains: Software\Wow6432Node\Google\Chrome\Extensions - TargetObject|endswith: update_url + ObjectName|contains: Software\Wow6432Node\Google\Chrome\Extensions + ObjectName|endswith: update_url chrome_vpn: - TargetObject|contains: + ObjectName|contains: - fdcgdnkidjaadafnichfpabhfomcebme - fcfhplploccackoneaefokcmbjfbkenj - bihmplhobchoageeokmgbdihknkjbknd diff --git a/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 67c4581e2..f24d09123 100644 --- a/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -20,14 +20,14 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\ - TargetObject|endswith: + ObjectName|contains: \SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\ + ObjectName|endswith: - \Internet - \LocalIntranet - \MyComputer - \TrustedSites - \UntrustedSites - Details: Enabled + NewValue: Enabled condition: registry_set and selection falsepositives: - Legitimate internal requirements. diff --git a/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index 2f2be3ac8..a166edbd5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -31,13 +31,13 @@ detection: EventID: 4657 Channel: Security main: - TargetObject|contains: HKLM\System\CurrentControlSet\Services + ObjectName|contains: \REGISTRY\MACHINE\System\CurrentControlSet\Services selection_1: - Details|contains|all: + NewValue|contains|all: - ADMIN$ - .exe selection_2: - Details|contains|all: + NewValue|contains|all: - '%COMSPEC%' - start - powershell diff --git a/sigma/builtin/registry/registry_set/registry_set_comhijack_sdclt.yml b/sigma/builtin/registry/registry_set/registry_set_comhijack_sdclt.yml index 4ed0e1285..63056ac62 100644 --- a/sigma/builtin/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -20,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Software\Classes\Folder\shell\open\command\DelegateExecute + ObjectName|contains: \Software\Classes\Folder\shell\open\command\DelegateExecute condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_crashdump_disabled.yml b/sigma/builtin/registry/registry_set/registry_set_crashdump_disabled.yml index 7dbc1109b..3b300f72b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_crashdump_disabled.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: SYSTEM\CurrentControlSet\Control\CrashControl - Details: DWORD (0x00000000) + ObjectName|contains: SYSTEM\CurrentControlSet\Control\CrashControl + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Legitimate disabling of crashdumps diff --git a/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml b/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml index 7c07d857b..f254f56b4 100644 --- a/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -22,27 +22,27 @@ detection: EventID: 4657 Channel: Security selection_1: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ - TargetObject|endswith: \Start - Image|contains: + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ + ObjectName|endswith: \Start + ProcessName|contains: - \Users\Public\ - \Perflogs\ - \ADMIN$\ - \Temp\ - Details: + NewValue: - DWORD (0x00000000) - DWORD (0x00000001) - DWORD (0x00000002) selection_2: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ - TargetObject|endswith: \ImagePath - Details|contains: + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ + ObjectName|endswith: \ImagePath + NewValue|contains: - \Users\Public\ - \Perflogs\ - \ADMIN$\ - \Temp\ filter_1: - Image|contains|all: + ProcessName|contains|all: - \Common Files\ - \Temp\ condition: registry_set and (1 of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index 9ef52974f..12b17b8eb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -19,26 +19,26 @@ detection: EventID: 4657 Channel: Security selection_1: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ - TargetObject|endswith: \Start - Image|contains: + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ + ObjectName|endswith: \Start + ProcessName|contains: - \AppData\Local\ - \AppData\Roaming\ - Details: + NewValue: - DWORD (0x00000000) - DWORD (0x00000001) - DWORD (0x00000002) selection_2: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ - TargetObject|endswith: \ImagePath - Details|contains: + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ + ObjectName|endswith: \ImagePath + NewValue|contains: - \AppData\Local\ - \AppData\Roaming\ filter: - - Image|contains: + - ProcessName|contains: - \AppData\Roaming\Zoom - \AppData\Local\Zoom - - Details|contains: + - NewValue|contains: - \AppData\Roaming\Zoom - \AppData\Local\Zoom condition: registry_set and (1 of selection_* and not filter) diff --git a/sigma/builtin/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/sigma/builtin/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index fcea2bbfd..df543ca58 100644 --- a/sigma/builtin/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/sigma/builtin/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: shell\open\command\ - Details|contains|all: + ObjectName|contains: shell\open\command\ + NewValue|contains|all: - powershell - -command condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index 18d91ff97..9bc2fe8e3 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -21,8 +21,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports - Details|contains: + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports + NewValue|contains: - .dll - .exe - .bat diff --git a/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml b/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml index 9cd3cdafc..b78df5825 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml @@ -20,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKCR\ms-msdt\ + ObjectName|startswith: HKCR\ms-msdt\ condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index eaecc58e8..5840a8924 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Microsoft\.NETFramework\DbgManagedDebugger + ObjectName|endswith: \Microsoft\.NETFramework\DbgManagedDebugger filter: - Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT + NewValue: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d' condition: registry_set and (selection and not filter) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml b/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml index b9b0cb346..a82d8178b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml @@ -21,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection2: - TargetObject|contains: \Microsoft\Windows Defender\Exclusions + ObjectName|contains: \Microsoft\Windows Defender\Exclusions condition: registry_set and selection2 falsepositives: - Administrator actions diff --git a/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index c4876d6fb..1b06db85b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|endswith: \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled - Details: DWORD (0x00000000) + OperationType: '%%1905' + ObjectName|endswith: \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml b/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml index 5680da7fd..b0c9a27b3 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -23,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - \Services\DHCPServer\Parameters\CalloutDlls - \Services\DHCPServer\Parameters\CalloutEnabled condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml b/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml index 8a1ffbab8..3edb2f9b6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml @@ -20,11 +20,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ - TargetObject|endswith: + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\ + ObjectName|endswith: - AutoShareWks - AutoShareServer - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml b/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml index 10d318b94..0299359c1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -20,17 +20,17 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains: \System\CurrentControlSet\Control\WMI\Autologger\ + ObjectName|contains: \System\CurrentControlSet\Control\WMI\Autologger\ selection_values: - TargetObject|contains: + ObjectName|contains: - \EventLog- - \Defender - TargetObject|endswith: + ObjectName|endswith: - \Enable - \Start - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) filter_wevtutil: - Image: C:\Windows\system32\wevtutil.exe + ProcessName: C:\Windows\system32\wevtutil.exe condition: registry_set and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml b/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml index c16c991c7..9f12bfaba 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -19,9 +19,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ - TargetObject|endswith: \EnableFirewall - Details: DWORD (0x00000000) + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ + ObjectName|endswith: \EnableFirewall + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml index d03fdd2cd..ce87184e3 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml @@ -23,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection_set_1: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation @@ -33,15 +33,15 @@ detection: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL - SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) selection_set_0: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled - SYSTEM\CurrentControlSet\Control\Storage\Write Protection - SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and (1 of selection_set_*) falsepositives: - Legitimate admin script diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 48d7710cf..635434cfc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -20,12 +20,12 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\ - \Microsoft\Office\ - \Common\Security - TargetObject|endswith: \MacroRuntimeScanScope - Details: DWORD (0x00000000) + ObjectName|endswith: \MacroRuntimeScanScope + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/sigma/builtin/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index b84556a14..df9ad29ce 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience - Details: DWORD (0x00000000) + ObjectName|endswith: \SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Legitimate admin script diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml b/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml index bb4cdb07e..b3bfa95ba 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience - Details: DWORD (0x00000000) + ObjectName|endswith: Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml b/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml index 13a947b27..d38614688 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml @@ -19,13 +19,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Policies\Microsoft\Windows NT\SystemRestore - \Microsoft\Windows NT\CurrentVersion\SystemRestore - TargetObject|endswith: + ObjectName|endswith: - DisableConfig - DisableSR - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml b/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml index 9b8b4faef..06234d376 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml @@ -21,8 +21,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - Details: DWORD (0x00000000) + ObjectName|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml b/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml index 7cfc7f06b..81421baeb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start - Details: DWORD (0x00000004) + ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Start + NewValue: DWORD (0x00000004) condition: registry_set and selection falsepositives: - Administrator actions diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_windows_firewall.yml b/sigma/builtin/registry/registry_set/registry_set_disable_windows_firewall.yml index fc9dd37fb..20aa8f696 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -18,10 +18,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall - \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml b/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml index 4f607cd80..7765ba0fb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -20,29 +20,29 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ - TargetObject|endswith: \Enabled - Details: DWORD (0x00000000) + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ + ObjectName|endswith: \Enabled + NewValue: DWORD (0x00000000) filter_main_wevutil: - Image|endswith: \Windows\system32\wevtutil.exe + ProcessName|endswith: \Windows\system32\wevtutil.exe filter_main_iis: - Image|startswith: C:\Windows\winsxs\ - Image|endswith: \TiWorker.exe + ProcessName|startswith: C:\Windows\winsxs\ + ProcessName|endswith: \TiWorker.exe filter_main_svchost: - Image: C:\Windows\System32\svchost.exe - TargetObject|contains: + ProcessName: C:\Windows\System32\svchost.exe + ObjectName|contains: - \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter - \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\ - \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\ - \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\ - \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\ filter_main_trusted_installer: - Image: C:\Windows\servicing\TrustedInstaller.exe - TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser + ProcessName: C:\Windows\servicing\TrustedInstaller.exe + ObjectName|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser filter_optional_empty: - Image: '' + ProcessName: '' filter_optional_null: - Image: null + ProcessName: null condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 2fa9df2a0..32568984c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -18,9 +18,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security + ObjectName|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride - Details: DWORD (00000001) + NewValue: DWORD (00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 1d0ec903b..c938242db 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -19,9 +19,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows + ObjectName|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Other Antivirus software installations could cause Windows to disable that eventlog diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 5d8d86629..03c120698 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Policies\Microsoft\Windows Defender\PUAProtection - Details: DWORD (0x00000000) + ObjectName|contains: \Policies\Microsoft\Windows Defender\PUAProtection + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 901ccb901..70e9a6341 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -18,13 +18,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Microsoft\Windows Defender\Features\TamperProtection - Details: DWORD (0x00000000) + ObjectName|contains: \Microsoft\Windows Defender\Features\TamperProtection + NewValue: DWORD (0x00000000) filter_msmpeng_client: - Image|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ - Image|endswith: \MsMpEng.exe + ProcessName|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ + ProcessName|endswith: \MsMpEng.exe filter_msmpeng_domain_controller: - Image: C:\Program Files\Windows Defender\MsMpEng.exe + ProcessName: C:\Program Files\Windows Defender\MsMpEng.exe condition: registry_set and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml b/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml index 72a74eb84..0279a440d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun - Details: DWORD (0x00000001) + ObjectName|endswith: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index 2c7dcd475..f5cac2bea 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -27,15 +27,15 @@ detection: EventID: 4657 Channel: Security root: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ selection_autorun: - TargetObject|contains: \Autorun - Details: DWORD (0x00000001) + ObjectName|contains: \Autorun + NewValue: DWORD (0x00000001) selection_pre_after: - TargetObject|contains: + ObjectName|contains: - \CleanupString - \PreCleanupString - Details|contains: + NewValue|contains: - cmd - powershell - rundll32 diff --git a/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml index cd357afef..aeb18904e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -30,14 +30,14 @@ detection: EventID: 4657 Channel: Security selection_edge: - TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled - Details: DWORD (0x00000001) + ObjectName|endswith: \SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled + NewValue: DWORD (0x00000001) selection_chrome: - TargetObject|endswith: \SOFTWARE\Google\Chrome\DnsOverHttpsMode - Details: secure + ObjectName|endswith: \SOFTWARE\Google\Chrome\DnsOverHttpsMode + NewValue: secure selection_firefox: - TargetObject|endswith: \SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled - Details: DWORD (0x00000001) + ObjectName|endswith: \SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled + NewValue: DWORD (0x00000001) condition: registry_set and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 35b3c6356..13806681e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -27,7 +27,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \services\DNS\Parameters\ServerLevelPluginDll + ObjectName|endswith: \services\DNS\Parameters\ServerLevelPluginDll condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml index f4d1b0477..5b245b922 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -32,13 +32,13 @@ detection: EventID: 4657 Channel: Security selection_etw_enabled: - TargetObject|endswith: SOFTWARE\Microsoft\.NETFramework\ETWEnabled - Details: DWORD (0x00000000) + ObjectName|endswith: SOFTWARE\Microsoft\.NETFramework\ETWEnabled + NewValue: DWORD (0x00000000) selection_complus: - TargetObject|endswith: + ObjectName|endswith: - \COMPlus_ETWEnabled - \COMPlus_ETWFlags - Details: + NewValue: - 0 - DWORD (0x00000000) condition: registry_set and (1 of selection_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 0f0c6dc83..4155f2796 100644 --- a/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -24,12 +24,12 @@ detection: EventID: 4657 Channel: Security selection_1: - TargetObject|endswith: + ObjectName|endswith: - \COR_ENABLE_PROFILING - \COR_PROFILER - \CORECLR_ENABLE_PROFILING selection_2: - TargetObject|contains: \CORECLR_PROFILER_PATH + ObjectName|contains: \CORECLR_PROFILER_PATH condition: registry_set and (1 of selection_*) level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 4d3d42647..ce6b09221 100644 --- a/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck - Details: DWORD (0x00000001) + ObjectName|endswith: \Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Administrator actions diff --git a/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml index ef51c0db4..790e73329 100644 --- a/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SYSTEM\CurrentControlSet\Services\EventLog\ - TargetObject|endswith: \File + ObjectName|contains: \SYSTEM\CurrentControlSet\Services\EventLog\ + ObjectName|endswith: \File filter: - Details|contains: \System32\Winevt\Logs\ + NewValue|contains: \System32\Winevt\Logs\ condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index b0eba8b37..4d1216b19 100644 --- a/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection_key: - TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender + ObjectName|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications selection_paths: - TargetObject|contains: + ObjectName|contains: - \Users\Public\ - \AppData\Local\Temp\ - \Desktop\ diff --git a/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml b/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml index 26934f322..80ca3963f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName + ObjectName: \REGISTRY\MACHINE\System\CurrentControlSet\Services\Fax\ObjectName filter: - Details|contains: NetworkService + NewValue|contains: NetworkService condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_fax_dll_persistance.yml b/sigma/builtin/registry/registry_set/registry_set_fax_dll_persistance.yml index edba73d56..78fc6a675 100644 --- a/sigma/builtin/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/sigma/builtin/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \Software\Microsoft\Fax\Device Providers\ - \ImageName filter: - Details: '%systemroot%\system32\fxst30.dll' + NewValue: '%systemroot%\system32\fxst30.dll' condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml b/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml index a4f2d9890..5dfb49698 100644 --- a/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml +++ b/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml @@ -18,8 +18,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Classes\. - Details: exefile + ObjectName|contains: Classes\. + NewValue: exefile condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml index 7e8e7de2b..caee0fb71 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger + ObjectName|contains: \SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger condition: registry_set and selection falsepositives: - This value is not set by default but could be rarly used by administrators diff --git a/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml index 6cd29d4a5..8eb8779be 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -19,9 +19,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default) + ObjectName|contains: \CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default) filter: - Details: C:\Windows\System32\hhctrl.ocx + NewValue: C:\Windows\System32\hhctrl.ocx condition: registry_set and (selection and not filter) falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_hidden_extention.yml b/sigma/builtin/registry/registry_set/registry_set_hidden_extention.yml index 7a65979b5..9ca570406 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hidden_extention.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hidden_extention.yml @@ -20,11 +20,11 @@ detection: EventID: 4657 Channel: Security selection_HideFileExt: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt - Details: DWORD (0x00000001) + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt + NewValue: DWORD (0x00000001) selection_Hidden: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden - Details: DWORD (0x00000002) + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden + NewValue: DWORD (0x00000002) condition: registry_set and (1 of selection_*) falsepositives: - Administrative scripts diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_file.yml b/sigma/builtin/registry/registry_set/registry_set_hide_file.yml index 56d4dd181..c7fc33fa7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_file.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_file.yml @@ -19,10 +19,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden - Details: DWORD (0x00000000) + ObjectName: + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml index 236374e37..cf7c40682 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml @@ -19,18 +19,18 @@ detection: EventID: 4657 Channel: Security selection_set_1: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) selection_set_0: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and (1 of selection_set_*) falsepositives: - Legitimate admin script diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index 32a6d9e5d..0a6d6e656 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -29,10 +29,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ - Index - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 117718f4f..6909b35a6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -27,11 +27,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - TargetObject|endswith: + ObjectName|contains: \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults + ObjectName|endswith: - \http - \https - Details|contains: DWORD (0x00000000) + NewValue|contains: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml b/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml index 819a21897..463596e44 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -31,11 +31,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \Control\Keyboard Layouts\ - Ime File filter_main_known_extension: - Details|endswith: .ime + NewValue|endswith: .ime condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - IMEs are essential for languages that have more characters than can be represented diff --git a/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml b/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml index 147890957..ed9f313bf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -31,11 +31,11 @@ detection: EventID: 4657 Channel: Security selection_registry: - TargetObject|contains|all: + ObjectName|contains|all: - \Control\Keyboard Layouts\ - Ime File selection_folders_1: - Details|contains: + NewValue|contains: - :\Perflogs\ - :\Users\Public\ - :\Windows\Temp\ @@ -43,13 +43,13 @@ detection: - \AppData\Roaming\ - \Temporary Internet selection_folders_2: - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Favorites\ - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Favourites\ - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Contacts\ condition: registry_set and (selection_registry and 1 of selection_folders_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index cac8aafee..f3f0593bd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -20,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\ - \SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\ - \SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ @@ -30,8 +30,8 @@ detection: - \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ - \SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\ - \SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\ - TargetObject|endswith: \Blob - Details: Binary Data + ObjectName|endswith: \Blob + NewValue: Binary Data condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 81e7b226e..8fb2a3939 100644 --- a/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -23,12 +23,12 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize - Details: + ObjectName|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize + NewValue: - DWORD (0x00000001) - DWORD (0x00000002) filter_main_generic: - Image: + ProcessName: - C:\Windows\explorer.exe - C:\Windows\System32\ie4uinit.exe condition: registry_set and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml b/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml index 7b5b326ec..69d006ca5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption - \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText - Details|contains: + NewValue|contains: - encrypted - Unlock-Password - paying diff --git a/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index 6679c40d3..1e483c90e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -24,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC + ObjectName|contains: \SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 7f1c01389..99ed2bbdd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -31,7 +31,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin + ObjectName|endswith: System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml index f69d3fcc1..e20e2a457 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -22,10 +22,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType - Details: DWORD (0x00000002) + NewValue: DWORD (0x00000002) condition: registry_set and selection falsepositives: - Legitimate application that needs to do a full dump of their process diff --git a/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml b/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml index f9250a501..5a7382276 100644 --- a/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml +++ b/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml @@ -23,8 +23,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Details|startswith: '%AppData%\Roaming\Oracle\bin\' + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + NewValue|startswith: '%AppData%\Roaming\Oracle\bin\' condition: registry_set and selection level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml index c541ecfb2..9d350cd47 100644 --- a/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -22,7 +22,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll + ObjectName|endswith: \CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index 1eb2abb0f..ad6a5f1e7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -28,7 +28,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog + ObjectName|endswith: SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index 7da0b87a0..816dbe3ab 100644 --- a/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -27,25 +27,25 @@ detection: EventID: 4657 Channel: Security selection_target: - TargetObject|contains: \SOFTWARE\Microsoft\NetSh + ObjectName|contains: \SOFTWARE\Microsoft\NetSh selection_folders_1: - Details|contains: + NewValue|contains: - :\Perflogs\ - :\Users\Public\ - :\Windows\Temp\ - \AppData\Local\Temp\ - \Temporary Internet selection_folders_2: - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Favorites\ - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Favourites\ - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Contacts\ - - Details|contains|all: + - NewValue|contains|all: - :\Users\ - \Pictures\ condition: registry_set and (selection_target and 1 of selection_folders_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 7f94f97f2..f3daa3b4c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -27,8 +27,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\NetSh - Details|contains: .dll + ObjectName|contains: \SOFTWARE\Microsoft\NetSh + NewValue|contains: .dll condition: registry_set and selection falsepositives: - Legitimate helper added by different programs and the OS diff --git a/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml b/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml index 98f6e0bd0..c97b520da 100644 --- a/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml @@ -20,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \AppCompatFlags\Compatibility Assistant\Store\ + ObjectName|contains: \AppCompatFlags\Compatibility Assistant\Store\ condition: registry_set and selection falsepositives: - This rule is to explore new applications on an endpoint. False positives depends diff --git a/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml b/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml index 09fa8d81a..8da2b65bf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml +++ b/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml @@ -23,16 +23,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \System\CurrentControlSet\Services\ - \NetworkProvider filter: - TargetObject|contains: + ObjectName|contains: - \System\CurrentControlSet\Services\WebClient\NetworkProvider - \System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider - \System\CurrentControlSet\Services\RDPNP\NetworkProvider filter_valid_procs: - Image: C:\Windows\System32\poqexec.exe + ProcessName: C:\Windows\System32\poqexec.exe condition: registry_set and (selection and not 1 of filter*) falsepositives: - Other legitimate network providers used and not filtred in this rule diff --git a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml index 418b37454..7b38c87a8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -17,19 +17,19 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\ - TargetObject|endswith: \Driver + ObjectName|contains: \SOFTWARE\ODBC\ODBCINST.INI\ + ObjectName|endswith: \Driver filter_main_sqlserver: - TargetObject|contains: \SQL Server\ - Details: '%WINDIR%\System32\SQLSRV32.dll' + ObjectName|contains: \SQL Server\ + NewValue: '%WINDIR%\System32\SQLSRV32.dll' filter_optional_office_access: - TargetObject|contains: '\Microsoft Access ' - Details|startswith: C:\Progra - Details|endswith: \ACEODBC.DLL + ObjectName|contains: '\Microsoft Access ' + NewValue|startswith: C:\Progra + NewValue|endswith: \ACEODBC.DLL filter_optional_office_excel: - TargetObject|contains: \Microsoft Excel Driver - Details|startswith: C:\Progra - Details|endswith: \ACEODBC.DLL + ObjectName|contains: \Microsoft Excel Driver + NewValue|startswith: C:\Progra + NewValue|endswith: \ACEODBC.DLL condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 9f40f4196..6f7921704 100644 --- a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\ - TargetObject|endswith: + ObjectName|contains: \SOFTWARE\ODBC\ODBCINST.INI\ + ObjectName|endswith: - \Driver - \Setup - Details|contains: + NewValue|contains: - :\PerfLogs\ - :\ProgramData\ - :\Temp\ diff --git a/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml index 4c7cf928e..7c266350c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -25,8 +25,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Security\AccessVBOM - Details: DWORD (0x00000001) + ObjectName|endswith: \Security\AccessVBOM + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml index 99fbf83e8..2b0a8579e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -25,19 +25,19 @@ detection: EventID: 4657 Channel: Security selection_path: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Office\ - \Security\ProtectedView\ selection_values_1: - Details: DWORD (0x00000001) - TargetObject|endswith: + NewValue: DWORD (0x00000001) + ObjectName|endswith: - \DisableAttachementsInPV - \DisableInternetFilesInPV - \DisableIntranetCheck - \DisableUnsafeLocationsInPV selection_values_0: - Details: DWORD (0x00000000) - TargetObject|endswith: + NewValue: DWORD (0x00000000) + ObjectName|endswith: - \enabledatabasefileprotectedview - \enableforeigntextfileprotectedview condition: registry_set and (selection_path and 1 of selection_values_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml b/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml index 45b6407c2..0e3bc97f7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml @@ -19,15 +19,15 @@ detection: EventID: 4657 Channel: Security selection_word: - TargetObject|endswith: \Word\Security\AllowDDE - Details: + ObjectName|endswith: \Word\Security\AllowDDE + NewValue: - DWORD (0x00000001) - DWORD (0x00000002) selection_excel: - TargetObject|endswith: + ObjectName|endswith: - \Excel\Security\DisableDDEServerLaunch - \Excel\Security\DisableDDEServerLookup - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 60ba419b5..045531046 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -23,8 +23,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Outlook\LoadMacroProviderOnBoot - Details|contains: '0x00000001' + ObjectName|endswith: \Outlook\LoadMacroProviderOnBoot + NewValue|contains: '0x00000001' condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 92eb935a4..08751290a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -23,8 +23,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Outlook\Security\Level - Details|contains: '0x00000001' + ObjectName|endswith: \Outlook\Security\Level + NewValue|contains: '0x00000001' condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index f199796e8..a9fdbf008 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -25,8 +25,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Outlook\Security\EnableUnsafeClientMailRules - Details: DWORD (0x00000001) + ObjectName|endswith: \Outlook\Security\EnableUnsafeClientMailRules + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml index 5845c9c0e..a4a168bc8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -22,7 +22,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Office\ - \Outlook\Security\ condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml index a71691335..52115ac6c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -23,9 +23,9 @@ detection: EventID: 4657 Channel: Security selection_value: - TargetObject|contains: \Security\Trusted Documents\TrustRecords + ObjectName|contains: \Security\Trusted Documents\TrustRecords selection_paths: - TargetObject|contains: + ObjectName|contains: - /AppData/Local/Microsoft/Windows/INetCache/ - /AppData/Local/Temp/ - /PerfLogs/ diff --git a/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index cfd60b819..25dcc98e6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -24,10 +24,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Security\Trusted Locations\Location - TargetObject|endswith: \Path + ObjectName|contains: Security\Trusted Locations\Location + ObjectName|endswith: \Path filter_exclude_known_paths: - Details|contains: + NewValue|contains: - '%APPDATA%\Microsoft\Templates' - '%%APPDATA%%\Microsoft\Templates' - '%APPDATA%\Microsoft\Word\Startup' @@ -37,10 +37,10 @@ detection: - :\Program Files\Microsoft Office\root\Templates\ - :\Program Files\Microsoft Office\Templates\ filter_main_office_click_to_run: - Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\ + ProcessName|endswith: \OfficeClickToRun.exe filter_main_office_apps: - Image|contains: + ProcessName|contains: - :\Program Files\Microsoft Office\ - :\Program Files (x86)\Microsoft Office\ condition: registry_set and (selection and not 1 of filter_main_* and not 1 of diff --git a/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index 6b40ffc49..c7bf152ea 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -24,8 +24,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Security\VBAWarnings - Details: DWORD (0x00000001) + ObjectName|endswith: \Security\VBAWarnings + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml index f9ac0d3a3..21700a0fd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml @@ -30,11 +30,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths - TargetObject|endswith: + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths + ObjectName|endswith: - (Default) - Path - Details|contains: + NewValue|contains: - \Users\Public - \AppData\Local\Temp\ - \Windows\Temp\ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_appx_debugger.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_appx_debugger.yml index 6177dd927..8396f4df7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection_debug: - TargetObject|contains: Classes\ActivatableClasses\Package\Microsoft. - TargetObject|endswith: \DebugPath + ObjectName|contains: Classes\ActivatableClasses\Package\Microsoft. + ObjectName|endswith: \DebugPath selection_default: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft. - TargetObject|endswith: \(Default) + ObjectName|contains: \Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft. + ObjectName|endswith: \(Default) condition: registry_set and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml index 8dfb99362..d065549bc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Services\WinSock2\Parameters\AutodialDLL + ObjectName|contains: \Services\WinSock2\Parameters\AutodialDLL condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml index 961b83bee..c143a18e1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Software\Microsoft\HtmlHelp Author\Location - \Software\WOW6432Node\Microsoft\HtmlHelp Author\Location condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 49ea77b03..4958fa026 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -20,11 +20,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \CLSID\ - TargetObject|endswith: + ObjectName|contains: \CLSID\ + ObjectName|endswith: - \InprocServer32\(Default) - \LocalServer32\(Default) - Details|contains: + NewValue|contains: - \AppData\Local\Temp\ - \Desktop\ - \Downloads\ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 35b54c083..46f6b1f58 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -22,9 +22,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default) + ObjectName|endswith: \CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default) filter_main: - Details: + NewValue: - '%windir%\System32\ActXPrxy.dll' - C:\Windows\System32\ActXPrxy.dll condition: registry_set and (selection and not filter_main) diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 04887ea60..8e7b6608e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -21,12 +21,12 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKCR\ - Details|startswith: 'URL:' + ObjectName|startswith: HKCR\ + NewValue|startswith: 'URL:' filter_main_ms_trusted: - Details|startswith: URL:ms- + NewValue|startswith: URL:ms- filter_main_generic_locations: - Image|startswith: + ProcessName|startswith: - C:\Program Files (x86) - C:\Program Files\ - C:\Windows\System32\ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index 45127ed62..d99170eb3 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -23,21 +23,21 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL filter_default_redirect_program: - Image|endswith: C:\WINDOWS\system32\svchost.exe - TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram - Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe' + ProcessName|endswith: C:\WINDOWS\system32\svchost.exe + ObjectName|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram + NewValue: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe' filter_default_redirect_program_cli: - Image|endswith: C:\WINDOWS\system32\svchost.exe - TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters - Details: -url hcp://services/centers/support?topic=%%s + ProcessName|endswith: C:\WINDOWS\system32\svchost.exe + ObjectName|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters + NewValue: -url hcp://services/centers/support?topic=%%s filter_url: - Details: http://go.microsoft.com/fwlink/events.asp + NewValue: http://go.microsoft.com/fwlink/events.asp filter_cleaner: - Details: (Empty) + NewValue: (Empty) condition: registry_set and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml index d369d120c..822f33a7c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml @@ -26,15 +26,15 @@ detection: EventID: 4657 Channel: Security selection_global_flag: - TargetObject|contains|all: + ObjectName|contains|all: - \Microsoft\Windows NT\CurrentVersion\ - \Image File Execution Options\ - \GlobalFlag selection_silent_process: - TargetObject|contains|all: + ObjectName|contains|all: - \Microsoft\Windows NT\CurrentVersion\ - \SilentProcessExit\ - TargetObject|contains: + ObjectName|contains: - \ReportingMode - \MonitorProcess condition: registry_set and (1 of selection_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml index 6e37364b2..90a3034c8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml @@ -22,24 +22,23 @@ detection: EventID: 4657 Channel: Security selection_domains: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet - Settings + ObjectName|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings filter_dword: - Details|startswith: DWORD + NewValue|startswith: DWORD filter_office: - Details: + NewValue: - 'Cookie:' - 'Visited:' - (Empty) filter_path: - TargetObject|contains: + ObjectName|contains: - \Cache - \ZoneMap - \WpadDecision filter_binary: - Details: Binary Data + NewValue: Binary Data filter_accepted_documents: - TargetObject|contains: \Accepted Documents\ + ObjectName|contains: \Accepted Documents\ condition: registry_set and (selection_domains and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml index ff4de6d39..f56214670 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml @@ -24,17 +24,17 @@ detection: EventID: 4657 Channel: Security selection_ext: - TargetObject|startswith: - - HKLM\SOFTWARE\Classes\. + ObjectName|startswith: + - \REGISTRY\MACHINE\SOFTWARE\Classes\. - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\. - TargetObject|contains: \PersistentHandler + ObjectName|contains: \PersistentHandler selection_clsid: - TargetObject|startswith: - - HKLM\SOFTWARE\Classes\CLSID + ObjectName|startswith: + - \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID - TargetObject|contains: \PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} + ObjectName|contains: \PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} filter_default_targets: - TargetObject|contains: + ObjectName|contains: - \CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\ - \CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\ - \CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\ @@ -64,7 +64,7 @@ detection: - \CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20} - \CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\ filter_generic_paths: - Image|startswith: + ProcessName|startswith: - C:\Windows\System32\ - C:\Program Files (x86)\ - C:\Program Files\ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml index 38cdd5361..0c9f716f1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -24,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions + ObjectName|contains: \SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml index 70c2ccacf..31f06db85 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify condition: registry_set and selection falsepositives: - Might trigger if a legitimate new SIP provider is registered. But this is not diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml index 4d9e71fef..8a0fab143 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer - TargetObject|endswith: (Default) + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer + ObjectName|endswith: (Default) condition: registry_set and selection falsepositives: - Unlikely but if you experience FPs add specific processes and locations you diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml index 7f04dcc76..4ea76302e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection_root: - TargetObject|contains: \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\ + ObjectName|contains: \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\ selection_values: - TargetObject|contains: + ObjectName|contains: - \StemmerDLLPathOverride - \WBDLLPathOverride - \StemmerClass diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml index 10e98625c..e8fec8a09 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -20,28 +20,28 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Software\Microsoft\Office\Outlook\Addins\ - \Software\Microsoft\Office\Word\Addins\ - \Software\Microsoft\Office\Excel\Addins\ - \Software\Microsoft\Office\Powerpoint\Addins\ - \Software\Microsoft\VSTO\Security\Inclusion\ filter_image: - Image|endswith: + ProcessName|endswith: - \msiexec.exe - \regsvr32.exe filter_office: - Image|endswith: + ProcessName|endswith: - \excel.exe - \integrator.exe - \OfficeClickToRun.exe - \winword.exe - \visio.exe filter_teams: - Image|endswith: \Teams.exe + ProcessName|endswith: \Teams.exe filter_avg: - Image: C:\Program Files\AVG\Antivirus\RegSvr.exe - TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\ + ProcessName: C:\Program Files\AVG\Antivirus\RegSvr.exe + ObjectName|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\ condition: registry_set and (selection and not 1 of filter_*) falsepositives: - Legitimate Addin Installation diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 8d18b9814..465bcbb55 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -19,17 +19,17 @@ detection: EventID: 4657 Channel: Security selection_1: - TargetObject|contains: + ObjectName|contains: - \Software\Microsoft\Office\ - \Outlook\WebView\ - TargetObject|endswith: \URL + ObjectName|endswith: \URL selection_2: - TargetObject|contains: + ObjectName|contains: - \Calendar\ - \Inbox\ condition: registry_set and (all of selection_*) fields: - - Details + - NewValue falsepositives: - Unknown level: high diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 97e2a8f26..97e5341b7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -20,23 +20,23 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains|all: + ObjectName|contains|all: - Software\Microsoft\Office\ - \Outlook\Today\ selection_value_stamp: - TargetObject|endswith: Stamp - Details: DWORD (0x00000001) + ObjectName|endswith: Stamp + NewValue: DWORD (0x00000001) selection_value_user_defined: - TargetObject|endswith: UserDefinedUrl + ObjectName|endswith: UserDefinedUrl filter_office: - Image|startswith: + ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|endswith: \OfficeClickToRun.exe condition: registry_set and (selection_main and 1 of selection_value_* and not 1 of filter_*) fields: - - Details + - NewValue falsepositives: - Unknown level: high diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml index a207013a2..73fc8bcd4 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -22,8 +22,8 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|endswith: \Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger + OperationType: '%%1905' + ObjectName|endswith: \Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 097f5a1dd..5a228f5ae 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: InprocServer32\(Default) - Details: C:\WINDOWS\system32\scrobj.dll + ObjectName|endswith: InprocServer32\(Default) + NewValue: C:\WINDOWS\system32\scrobj.dll condition: registry_set and selection falsepositives: - Legitimate use of the dll. diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml index fa4a25100..dab6c194b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml @@ -18,74 +18,74 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \CLSID\ - TargetObject|endswith: \InprocServer32\(Default) + ObjectName|contains: \CLSID\ + ObjectName|endswith: \InprocServer32\(Default) filter_main_generic: - Details|contains: + NewValue|contains: - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' filter_main_onedrive: - Details|contains: + NewValue|contains: - \AppData\Local\Microsoft\OneDrive\ - \FileCoAuthLib64.dll - \FileSyncShell64.dll - \FileSyncApi64.dll filter_main_health_service: - Image|endswith: :\WINDOWS\system32\SecurityHealthService.exe + ProcessName|endswith: :\WINDOWS\system32\SecurityHealthService.exe filter_main_teams: - Details|contains|all: + NewValue|contains|all: - \AppData\Local\Microsoft\TeamsMeetingAddin\ - \Microsoft.Teams.AddinLoader.dll filter_main_dropbox: - Details|contains|all: + NewValue|contains|all: - \AppData\Roaming\Dropbox\ - \DropboxExt64.*.dll filter_main_trend_micro: - Details|endswith: TmopIEPlg.dll + NewValue|endswith: TmopIEPlg.dll filter_main_update: - Image|endswith: + ProcessName|endswith: - :\WINDOWS\system32\wuauclt.exe - :\WINDOWS\system32\svchost.exe filter_main_defender: - Image|contains: + ProcessName|contains: - :\ProgramData\Microsoft\Windows Defender\Platform\ - :\Program Files\Windows Defender\ - Image|endswith: \MsMpEng.exe + ProcessName|endswith: \MsMpEng.exe filter_main_nvidia: - Details|contains: \FileRepository\nvmdi.inf + NewValue|contains: \FileRepository\nvmdi.inf filter_main_edge: - Image|endswith: \MicrosoftEdgeUpdateComRegisterShell64.exe + ProcessName|endswith: \MicrosoftEdgeUpdateComRegisterShell64.exe filter_main_dx: - Image|endswith: :\WINDOWS\SYSTEM32\dxdiag.exe + ProcessName|endswith: :\WINDOWS\SYSTEM32\dxdiag.exe filter_main_python: - Details|endswith: + NewValue|endswith: - :\Windows\pyshellext.amd64.dll - :\Windows\pyshellext.dll filter_main_bonjourlib: - Details|endswith: + NewValue|endswith: - :\Windows\system32\dnssdX.dll - :\Windows\SysWOW64\dnssdX.dll filter_main_printextensionmanager: - Details|endswith: :\Windows\system32\spool\drivers\x64\3\PrintConfig.dll + NewValue|endswith: :\Windows\system32\spool\drivers\x64\3\PrintConfig.dll filter_main_programfiles: - Details|contains: + NewValue|contains: - :\Program Files\ - :\Program Files (x86)\ filter_main_programdata: - Details|contains: :\ProgramData\Microsoft\ + NewValue|contains: :\ProgramData\Microsoft\ filter_main_gameservice: - Details|contains: :\WINDOWS\system32\GamingServicesProxy.dll + NewValue|contains: :\WINDOWS\system32\GamingServicesProxy.dll filter_main_poqexec: - Image|endswith: :\Windows\System32\poqexec.exe - Details|contains: :\Windows\System32\Autopilot.dll + ProcessName|endswith: :\Windows\System32\poqexec.exe + NewValue|contains: :\Windows\System32\Autopilot.dll filter_main_sec_health_svc: - Image|endswith: :\Windows\system32\SecurityHealthService.exe - Details|contains: :\Windows\System32\SecurityHealth + ProcessName|endswith: :\Windows\system32\SecurityHealthService.exe + NewValue|contains: :\Windows\System32\SecurityHealth filter_main_inprocserver: - Image|endswith: + ProcessName|endswith: - :\Windows\System32\poqexec.exe - :\Windows\System32\regsvr32.exe - TargetObject|endswith: \InProcServer32\(Default) + ObjectName|endswith: \InProcServer32\(Default) condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml index 98e4cc434..b8fae6e0f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml @@ -27,11 +27,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ filter_main_empty: - Details: '' + NewValue: '' condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Legitimate custom SHIM installations will also trigger this rule diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index abfad3cc5..fa5b7075d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ - TargetObject|endswith: + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ + ObjectName|endswith: - \csrss.exe - \dllhost.exe - \explorer.exe diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index 2551a9f09..09ef27c25 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -21,11 +21,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ - \DatabasePath filter_main_known_locations: - Details|contains: :\Windows\AppPatch\Custom + NewValue|contains: :\Windows\AppPatch\Custom condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml index 1ee22a17d..611354f25 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\ + ObjectName|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\ filter: - Image: + ProcessName: - C:\Windows\explorer.exe - C:\Windows\SysWOW64\explorer.exe condition: registry_set and (selection and not filter) diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml index 7c4495ee3..4974febf9 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Software\Microsoft\Office\ - TargetObject|endswith: \Excel\Options - Details|startswith: '/R ' - Details|endswith: .xll + ObjectName|contains: Software\Microsoft\Office\ + ObjectName|endswith: \Excel\Options + NewValue|startswith: '/R ' + NewValue|endswith: .xll condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml index c30f223d9..63d1906e5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -19,13 +19,13 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\ + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\ selection_value_default_file_type_rsik: - TargetObject|endswith: \DefaultFileTypeRisk - Details: DWORD (0x00006152) + ObjectName|endswith: \DefaultFileTypeRisk + NewValue: DWORD (0x00006152) selection_value_low_risk_filetypes: - TargetObject|endswith: \LowRiskFileTypes - Details|contains: + ObjectName|endswith: \LowRiskFileTypes + NewValue|contains: - .zip; - .rar; - .exe; diff --git a/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml index e3928419e..0c1dfc308 100644 --- a/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -19,16 +19,16 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ selection_value_hide_zone_info: - TargetObject|endswith: \HideZoneInfoOnProperties - Details: DWORD (0x00000001) + ObjectName|endswith: \HideZoneInfoOnProperties + NewValue: DWORD (0x00000001) selection_value_save_zone_info: - TargetObject|endswith: \SaveZoneInformation - Details: DWORD (0x00000002) + ObjectName|endswith: \SaveZoneInformation + NewValue: DWORD (0x00000002) selection_value_scan_with_av: - TargetObject|endswith: \ScanWithAntiVirus - Details: DWORD (0x00000001) + ObjectName|endswith: \ScanWithAntiVirus + NewValue: DWORD (0x00000001) condition: registry_set and (selection_main and 1 of selection_value_*) falsepositives: - Unlikely diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_as_service.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_as_service.yml index 08679c389..9b9287e19 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_as_service.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_as_service.yml @@ -18,9 +18,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Services\ - TargetObject|endswith: \ImagePath - Details|contains: + ObjectName|contains: \Services\ + ObjectName|endswith: \ImagePath + NewValue|contains: - powershell - pwsh condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index ef08119fa..963cda87b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts - Details: DWORD (0x00000001) + ObjectName|endswith: \Policies\Microsoft\Windows\PowerShell\EnableScripts + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Likely diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml index 98b87646e..eff6feaae 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -25,15 +25,15 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - \ShellIds\Microsoft.PowerShell\ExecutionPolicy - \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy - Details|contains: + NewValue|contains: - Bypass - RemoteSigned - Unrestricted filter_main_svchost: - Image|contains: + ProcessName|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ condition: registry_set and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_in_run_keys.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_in_run_keys.yml index 647eb7462..7d4990ba1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Run - Details|contains: + ObjectName|contains: \Software\Microsoft\Windows\CurrentVersion\Run + NewValue|contains: - powershell - 'pwsh ' - FromBase64String diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml index e6215fc43..83a165593 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -20,17 +20,17 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Microsoft\Windows\PowerShell\ - \Microsoft\PowerShellCore\ - TargetObject|endswith: + ObjectName|endswith: - \ModuleLogging\EnableModuleLogging - \ScriptBlockLogging\EnableScriptBlockLogging - \ScriptBlockLogging\EnableScriptBlockInvocationLogging - \Transcription\EnableTranscripting - \Transcription\EnableInvocationHeader - \EnableScripts - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml b/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml index af8db66c1..c120d95dd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -29,7 +29,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Provisioning\Commands\ + ObjectName|contains: \SOFTWARE\Microsoft\Provisioning\Commands\ condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 46439df8b..2f7f9ec5b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -24,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \PsExec - \ProcDump - \Handle @@ -33,9 +33,9 @@ detection: - \PsLoglist - \PsPasswd - \Active Directory Explorer - TargetObject|endswith: \EulaAccepted + ObjectName|endswith: \EulaAccepted filter_main_image_names: - Image|endswith: + ProcessName|endswith: - \PsExec.exe - \PsExec64.exe - \procdump.exe @@ -53,7 +53,7 @@ detection: - \ADExplorer.exe - \ADExplorer64.exe filter_optional_null: - Image: null + ProcessName: null condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 3bca81364..db3fbf4d6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Microsoft\Windows NT\Rpc\ExtErrorInformation - Details: + ObjectName|endswith: \Microsoft\Windows NT\Rpc\ExtErrorInformation + NewValue: - DWORD (0x00000000) - DWORD (0x00000002) condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index f4f9f0b34..d1f9491ed 100644 --- a/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -21,12 +21,12 @@ detection: EventID: 4657 Channel: Security selection: - Image|endswith: \rundll32.exe + ProcessName|endswith: \rundll32.exe registry: - TargetObject|contains: \Control Panel\Desktop\SCRNSAVE.EXE - Details|endswith: .scr + ObjectName|contains: \Control Panel\Desktop\SCRNSAVE.EXE + NewValue|endswith: .scr filter: - Details|contains: + NewValue|contains: - C:\Windows\System32\ - C:\Windows\SysWOW64\ condition: registry_set and (selection and registry and not filter) diff --git a/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml b/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml index 284552f52..a095f4222 100644 --- a/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml @@ -21,16 +21,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ - TargetObject|endswith: \Parameters\ServiceDll + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ + ObjectName|endswith: \Parameters\ServiceDll filter_printextensionmanger: - Details: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll + NewValue: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll filter_domain_controller: - Image: C:\Windows\system32\lsass.exe - TargetObject|endswith: \CurrentControlSet\Services\NTDS\Parameters\ServiceDll - Details: '%%systemroot%%\system32\ntdsa.dll' + ProcessName: C:\Windows\system32\lsass.exe + ObjectName|endswith: \CurrentControlSet\Services\NTDS\Parameters\ServiceDll + NewValue: '%%systemroot%%\system32\ntdsa.dll' filter_poqexec: - Image: C:\Windows\System32\poqexec.exe + ProcessName: C:\Windows\System32\poqexec.exe condition: registry_set and (selection and not 1 of filter*) falsepositives: - Administrative scripts diff --git a/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml index e2381c839..7f6a87edf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled - Details: DWORD (0x00000001) + ObjectName|endswith: Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml b/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml index 941bb9038..3e4e6341d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection_set_1: - TargetObject|endswith: + ObjectName|endswith: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun @@ -30,7 +30,7 @@ detection: - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) condition: registry_set and selection_set_1 falsepositives: - Legitimate admin script diff --git a/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml index 7aab30a25..959b82438 100644 --- a/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml @@ -22,23 +22,23 @@ detection: EventID: 4657 Channel: Security selection_root: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Cryptography\Providers\ - \SOFTWARE\Microsoft\Cryptography\OID\EncodingType - \SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\ - \SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType selection_dll: - TargetObject|contains: + ObjectName|contains: - \Dll - \$DLL filter: - Details: + NewValue: - WINTRUST.DLL - mso.dll filter_poqexec: - Image: C:\Windows\System32\poqexec.exe - TargetObject|contains: \CryptSIPDll - Details: C:\Windows\System32\PsfSip.dll + ProcessName: C:\Windows\System32\poqexec.exe + ObjectName|contains: \CryptSIPDll + NewValue: C:\Windows\System32\PsfSip.dll condition: registry_set and (all of selection_* and not 1 of filter*) falsepositives: - Legitimate SIP being registered by the OS or different software. diff --git a/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml index b39530b85..3da4555d7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -18,11 +18,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled - \Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled - \Sophos\SAVService\TamperProtection\Enabled - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Some FP may occur when the feature is disabled by the AV itself, you should diff --git a/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml b/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml index 0159dfd7a..f5f5c36f2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml +++ b/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml @@ -24,9 +24,9 @@ detection: EventID: 4657 Channel: Security selection: - EventType: SetValue - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList - Details: DWORD (0x00000000) + OperationType: '%%1905' + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml b/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml index a73cf9c5c..ff362b93f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress - Details: DWORD (0x00000001) + ObjectName|endswith: SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 595709178..106f02da6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -23,10 +23,10 @@ detection: EventID: 4657 Channel: Security selection_registry: - TargetObject|contains: + ObjectName|contains: - \Keyboard Layout\Preload\ - \Keyboard Layout\Substitutes\ - Details|contains: + NewValue|contains: - 00000429 - 00050429 - 0000042a diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 467be99d4..b8ff80487 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -23,14 +23,14 @@ detection: EventID: 4657 Channel: Security selection_main: - EventType: SetValue - TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations + OperationType: '%%1905' + ObjectName|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations selection_susp_paths: - Image|contains: + ProcessName|contains: - \AppData\Local\Temp\ - \Users\Public\ selection_susp_images: - Image|endswith: + ProcessName|endswith: - \reg.exe - \regedit.exe condition: registry_set and (selection_main and 1 of selection_susp_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml b/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml index a4e9a4b43..b97ce62f5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml @@ -20,18 +20,18 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains|all: + ObjectName|contains|all: - \Control\Print\Environments\Windows x64\Drivers - \Manufacturer - Details: (Empty) + NewValue: (Empty) filter_cutepdf: - TargetObject|contains: \CutePDF Writer v4.0\ + ObjectName|contains: \CutePDF Writer v4.0\ filter_vnc: - TargetObject|contains: + ObjectName|contains: - \VNC Printer (PS)\ - \VNC Printer (UD)\ filter_pdf24: - TargetObject|contains: \Version-3\PDF24\ + ObjectName|contains: \Version-3\PDF24\ condition: registry_set and (selection and not 1 of filter_*) falsepositives: - Alerts on legitimate printer drivers that do not set any more details in the diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 4e65d56ac..4863c5c1e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -19,19 +19,19 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Policies\Explorer\Run + ObjectName|endswith: \Microsoft\Windows\CurrentVersion\Policies\Explorer\Run selection2: - - Details|startswith: + - NewValue|startswith: - C:\Windows\Temp\ - C:\ProgramData\ - C:\$Recycle.bin\ - C:\Temp\ - C:\Users\Public\ - C:\Users\Default\ - - Details|contains: \AppData\ + - NewValue|contains: \AppData\ condition: registry_set and (selection and selection2) fields: - - Image + - ProcessName - ParentImage falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 260f5f077..69f77897d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -19,11 +19,11 @@ detection: EventID: 4657 Channel: Security selection_target: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ selection_details: - - Details|contains: + - NewValue|contains: - C:\Windows\Temp\ - C:\$Recycle.bin\ - C:\Temp\ @@ -33,13 +33,13 @@ detection: - \AppData\Local\Temp\ - '%temp%\' - '%tmp%\' - - Details|startswith: + - NewValue|startswith: - '%Public%\' - wscript - cscript condition: registry_set and (all of selection_*) fields: - - Image + - ProcessName falsepositives: - Software using weird folders for updates level: high diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml b/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml index b7ac7da1a..9ffc58bfd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml @@ -24,18 +24,18 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject: - - HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath - - HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath + ObjectName: + - \REGISTRY\MACHINE\System\CurrentControlSet\Services\NalDrv\ImagePath + - \REGISTRY\MACHINE\System\CurrentControlSet\Services\PROCEXP152\ImagePath filter: - Image|endswith: + ProcessName|endswith: - \procexp64.exe - \procexp.exe - \procmon64.exe - \procmon.exe - \handle.exe - \handle64.exe - Details|contains: \WINDOWS\system32\Drivers\PROCEXP152.SYS + NewValue|contains: \WINDOWS\system32\Drivers\PROCEXP152.SYS condition: registry_set and (selection and not filter) falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml b/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml index 185956b1d..431e25988 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User + ObjectName|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders - TargetObject|endswith: Startup + ObjectName|endswith: Startup condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml b/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml index 0491c007a..4e20df8f1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -19,12 +19,12 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains: \Environment\ + ObjectName|contains: \Environment\ selection_details: - - Details: + - NewValue: - powershell - pwsh - - Details|contains: + - NewValue|contains: - \AppData\Local\Temp\ - C:\Users\Public\ - TVqQAAMAAAAEAAAA @@ -38,7 +38,7 @@ detection: - SQBuAHYAbwBrAGUALQ - kAbgB2AG8AawBlAC0A - JAG4AdgBvAGsAZQAtA - - Details|startswith: + - NewValue|startswith: - SUVY - SQBFAF - SQBuAH diff --git a/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 4c275e7c1..0bf1b91dc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -28,8 +28,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: System\CurrentControlSet\Control\Lsa\NoLMHash - Details: DWORD (0x00000000) + ObjectName|endswith: System\CurrentControlSet\Control\Lsa\NoLMHash + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml b/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml index 187ac5c04..5fd997499 100644 --- a/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml +++ b/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml @@ -21,40 +21,40 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\ + ObjectName|contains: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\ filter: - TargetObject|contains: + ObjectName|contains: - Microsoft\Windows\UpdateOrchestrator - Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index - Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index filter_tiworker: - Image|startswith: C:\Windows\ - Image|endswith: \TiWorker.exe + ProcessName|startswith: C:\Windows\ + ProcessName|endswith: \TiWorker.exe filter_svchost: - Image: C:\WINDOWS\system32\svchost.exe + ProcessName: C:\WINDOWS\system32\svchost.exe filter_ngen: - Image|startswith: C:\Windows\Microsoft.NET\Framework - Image|endswith: \ngen.exe - TargetObject|contains: + ProcessName|startswith: C:\Windows\Microsoft.NET\Framework + ProcessName|endswith: \ngen.exe + ObjectName|contains: - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129} - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN filter_office_click_to_run: - Image: + ProcessName: - C:\Program Files\Microsoft Office\root\Integration\Integrator.exe - C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe filter_msiexec: - Image: C:\Windows\System32\msiexec.exe + ProcessName: C:\Windows\System32\msiexec.exe filter_dropbox_updater: - Image: + ProcessName: - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe - C:\Program Files\Dropbox\Update\DropboxUpdate.exe filter_explorer: - Image: C:\Windows\explorer.exe - TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server + ProcessName: C:\Windows\explorer.exe + ObjectName|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\ filter_system: - Image: System + ProcessName: System condition: registry_set and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml index b36d1f172..97b060778 100644 --- a/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml @@ -35,9 +35,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ - TargetObject|endswith: \Command - Details|contains: + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ + ObjectName|endswith: \Command + NewValue|contains: - .bat - .bin - .cmd @@ -52,7 +52,7 @@ detection: - .sh - .vb filter_main_generic: - Details|contains: + NewValue|contains: - \system32\CompatTelRunner.exe - \system32\DeviceCensus.exe condition: registry_set and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml b/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml index a19c16fd0..958ae0717 100644 --- a/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -34,11 +34,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: + ObjectName|endswith: - \fDenyTSConnections - \fSingleSessionPerUser - \UserAuthentication - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - Some of the keys mentioned here could be modified by an administrator while diff --git a/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml b/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml index 5eb04c156..9f097ae30 100644 --- a/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -38,26 +38,26 @@ detection: EventID: 4657 Channel: Security selection_shadow: - TargetObject|contains: + ObjectName|contains: - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - \Control\Terminal Server\ - TargetObject|endswith: \Shadow - Details: + ObjectName|endswith: \Shadow + NewValue: - DWORD (0x00000001) - DWORD (0x00000002) - DWORD (0x00000003) - DWORD (0x00000004) selection_terminal_services_key: - TargetObject|contains: + ObjectName|contains: - \Control\Terminal Server\ - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ selection_terminal_services_values: - TargetObject|endswith: + ObjectName|endswith: - \fAllowUnsolicited - \fAllowUnsolicitedFullControl - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) selection_tamper_only: - TargetObject|contains: + ObjectName|contains: - \services\TermService\Parameters\ServiceDll - \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - \Control\Terminal Server\InitialProgram diff --git a/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml b/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml index 1fd83c30a..01779d888 100644 --- a/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -26,10 +26,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders - TargetObject|endswith: DllName + ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders + ObjectName|endswith: DllName filter: - Details: C:\Windows\SYSTEM32\w32time.DLL + NewValue: C:\Windows\SYSTEM32\w32time.DLL condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index 88f788063..3b7f94688 100644 --- a/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -17,11 +17,11 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ - \Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\ - TargetObject|endswith: \Enabled - Details: DWORD (0x00000001) + ObjectName|endswith: \Enabled + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Legitimate enabling of the old tls versions due to incompatibility diff --git a/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml index 2576b5476..a4745bb60 100644 --- a/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml @@ -19,16 +19,16 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: TreatAs\(Default) + ObjectName|endswith: TreatAs\(Default) filter_office: - Image|startswith: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|startswith: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ + ProcessName|endswith: \OfficeClickToRun.exe filter_office2: - Image: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe + ProcessName: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_svchost: - Image: C:\Windows\system32\svchost.exe + ProcessName: C:\Windows\system32\svchost.exe filter_misexec: - Image: + ProcessName: - C:\Windows\system32\msiexec.exe - C:\Windows\SysWOW64\msiexec.exe condition: registry_set and (selection and not 1 of filter_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml b/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml index b77315d1d..75915d247 100644 --- a/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -23,13 +23,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Microsoft\Windows\CurrentVersion\AppModelUnlock - \Policies\Microsoft\Windows\Appx\ - TargetObject|endswith: + ObjectName|endswith: - \AllowAllTrustedApps - \AllowDevelopmentWithoutDevLicense - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 76cbc15f8..5f2bd17bf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -21,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \mscfile\shell\open\command + ObjectName|endswith: \mscfile\shell\open\command condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 8f564096d..a0f4efabd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -22,10 +22,10 @@ detection: EventID: 4657 Channel: Security selection1: - TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand + ObjectName|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: - TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue - Details|re: -1[0-9]{3}\\Software\\Classes\\ + ObjectName|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue + NewValue|re: -1[0-9]{3}\\Software\\Classes\\ condition: registry_set and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml index 737188eb5..b51601edc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -20,10 +20,10 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: \Root\InventoryApplicationFile\winsat.exe| - TargetObject|endswith: \LowerCaseLongPath - Details|startswith: c:\users\ - Details|endswith: \appdata\local\temp\system32\winsat.exe + ObjectName|contains: \Root\InventoryApplicationFile\winsat.exe| + ObjectName|endswith: \LowerCaseLongPath + NewValue|startswith: c:\users\ + NewValue|endswith: \appdata\local\temp\system32\winsat.exe condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml index adff65c6b..46b3da111 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility + ObjectName|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe - Details: Binary Data + NewValue: Binary Data condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml b/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml index 43d5d7385..2dbf558c1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -19,8 +19,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Software\Microsoft\Windows\CurrentVersion - Details|contains: + ObjectName|contains: Software\Microsoft\Windows\CurrentVersion + NewValue|contains: - 'vbscript:' - 'jscript:' - mshtml, @@ -29,11 +29,11 @@ detection: - CreateObject - window.close filter: - TargetObject|contains: Software\Microsoft\Windows\CurrentVersion\Run + ObjectName|contains: Software\Microsoft\Windows\CurrentVersion\Run filter_dotnet: - Image|endswith: \msiexec.exe - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\ - Details|contains: + ProcessName|endswith: \msiexec.exe + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\ + NewValue|contains: - \Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll - <\Microsoft.mshtml,fileVersion= - _mshtml_dll_ diff --git a/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 89bca12cf..e0215c7c0 100644 --- a/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -21,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Software\Microsoft\WAB\DLLPath + ObjectName|endswith: \Software\Microsoft\WAB\DLLPath filter: - Details: '%CommonProgramFiles%\System\wab32.dll' + NewValue: '%CommonProgramFiles%\System\wab32.dll' condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index ce8693321..531e0c7ea 100644 --- a/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -22,8 +22,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: WDigest\UseLogonCredential - Details: DWORD (0x00000001) + ObjectName|endswith: WDigest\UseLogonCredential + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml index eb384f152..6d94d8a68 100644 --- a/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -31,12 +31,12 @@ detection: EventID: 4657 Channel: Security selection_main: - TargetObject|contains: + ObjectName|contains: - \SOFTWARE\Microsoft\Windows Defender\ - \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\ - \SOFTWARE\Policies\Microsoft\Windows Defender\ selection_dword_1: - TargetObject|endswith: + ObjectName|endswith: - \DisableAntiSpyware - \DisableAntiVirus - \Real-Time Protection\DisableBehaviorMonitoring @@ -48,9 +48,9 @@ detection: - \Real-Time Protection\DisableScriptScanning - \Reporting\DisableEnhancedNotifications - \SpyNet\DisableBlockAtFirstSeen - Details: DWORD (0x00000001) + NewValue: DWORD (0x00000001) selection_dword_0: - TargetObject|endswith: + ObjectName|endswith: - \App and Browser protection\DisallowExploitProtectionOverride - \Features\TamperProtection - \MpEngine\MpEnablePus @@ -59,7 +59,7 @@ detection: - \SpyNet\SpynetReporting - \SpyNet\SubmitSamplesConsent - \Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess - Details: DWORD (0x00000000) + NewValue: DWORD (0x00000000) condition: registry_set and (selection_main and 1 of selection_dword_*) falsepositives: - Administrator actions via the Windows Defender interface diff --git a/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 18165fe52..571291a4b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -20,9 +20,9 @@ detection: EventID: 4657 Channel: Security selection: - Image|endswith: \winget.exe - TargetObject|startswith: \REGISTRY\A\ - TargetObject|endswith: \LocalState\admin_settings + ProcessName|endswith: \winget.exe + ObjectName|startswith: \REGISTRY\A\ + ObjectName|endswith: \LocalState\admin_settings condition: registry_set and selection falsepositives: - The event doesn't contain information about the type of change. False positives diff --git a/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml index e3324e729..8f11d91e6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -20,8 +20,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \AppInstaller\EnableLocalManifestFiles - Details: DWORD (0x00000001) + ObjectName|endswith: \AppInstaller\EnableLocalManifestFiles + NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Administrators or developers might enable this for testing purposes or to install diff --git a/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 7d76c323d..068594733 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -26,8 +26,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions - Details|endswith: DWORD (0x00000001) + ObjectName|endswith: \Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions + NewValue|endswith: DWORD (0x00000001) condition: registry_set and selection falsepositives: - Legitimate use of the multi session functionality diff --git a/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml b/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml index c40f4f8d0..d30081a31 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -24,8 +24,8 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon - Details|endswith: .dll + ObjectName|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon + NewValue|endswith: .dll condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml b/sigma/builtin/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml index ae0e9b06b..b10543496 100644 --- a/sigma/builtin/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/sigma/builtin/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -23,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: + ObjectName|contains: - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ condition: registry_event and selection diff --git a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml index 979ed2b87..0c0ee2f05 100644 --- a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml +++ b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml @@ -24,13 +24,13 @@ detection: EventID: 4657 Channel: Security selection: - TargetObject|contains: Security\Trusted Locations\Location - TargetObject|endswith: \Path + ObjectName|contains: Security\Trusted Locations\Location + ObjectName|endswith: \Path filter_main_office_click_to_run: - Image|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\ - Image|endswith: \OfficeClickToRun.exe + ProcessName|contains: :\Program Files\Common Files\Microsoft Shared\ClickToRun\ + ProcessName|endswith: \OfficeClickToRun.exe filter_main_office_apps: - Image|contains: + ProcessName|contains: - :\Program Files\Microsoft Office\ - :\Program Files (x86)\Microsoft Office\ condition: registry_set and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 6600cdff0..9c84b44da 100644 --- a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -29,16 +29,16 @@ detection: EventID: 4657 Channel: Security selection_key: - EventType: SetValue - TargetObject|contains: \Shell\Open\Command + OperationType: '%%1905' + ObjectName|contains: \Shell\Open\Command selection_value_img: - Details|contains: + NewValue|contains: - powershell - pwsh selection_value_namespace: - Details|contains: System.Security.Cryptography. + NewValue|contains: System.Security.Cryptography. selection_value_classes: - Details|contains: + NewValue|contains: - .AesCryptoServiceProvider - .DESCryptoServiceProvider - .DSACryptoServiceProvider diff --git a/tools/sigmac/logsource_mapping.py b/tools/sigmac/logsource_mapping.py index b9525c740..5791ec39f 100644 --- a/tools/sigmac/logsource_mapping.py +++ b/tools/sigmac/logsource_mapping.py @@ -31,6 +31,9 @@ "CommandLine", "TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "ParentProcessName", "MandatoryLabel"] +WINDOWS_SYSMON_REGISTRY_EVENT_FIELDS = ["EventType", "UtcTime", "ProcessId", "ProcessGuid", "Image", "TargetObject", "Details", "NewName"] +WINDOWS_SECURITY_REGISTRY_EVENT_FIELDS = ["SubjectUserSid", "SubjectUserName", "SubjectDomainName", "SubjectLogonId", "ObjectName", "ObjectValueName", "HandleId", "OperationType", "OldValueType", "OldValue", "NewValueType", "NewValue", "ProcessId", "ProcessName"] + INTEGRITY_LEVEL_VALUES = { "LOW": "S-1-16-4096", "MEDIUM": "S-1-16-8192", @@ -38,6 +41,13 @@ "SYSTEM": "S-1-16-16384" } +OPERATION_TYPE_VALUES = { + "CreateKey": "%%1904", + "SetValue": "%%1905", + "DeleteValue": "%%1906", + "RenameKey" : "%%1905" +} + def get_terminal_keys_recursive(dictionary, keys=[]) -> list[str]: """ @@ -57,13 +67,20 @@ def get_terminal_keys_recursive(dictionary, keys=[]) -> list[str]: def convert_special_val(key: str, value: str | list[str]) -> str | list[str]: """ - ProcessIdとIntegrityLevelはValueの形式が違うため、変換する + ProcessIdとIntegrityLevelとOperationTypeはValueの形式が違うため、変換する """ if key == "ProcessId" or key == "NewProcessId": return str(hex(int(value))) if isinstance(value, int) else [str(hex(int(v))) for v in value] elif key == "MandatoryLabel": return str(INTEGRITY_LEVEL_VALUES.get(value.upper())) if isinstance(value, str) else [ str(INTEGRITY_LEVEL_VALUES.get(v.upper())) for v in value] + elif key == "OperationType": + return OPERATION_TYPE_VALUES.get(value) + elif key == "ObjectName": + if isinstance(value, str): + return value.replace("HKLM", r"\REGISTRY\MACHINE").replace("HKU", r"\REGISTRY\USER") + elif isinstance(value, list): + return [x.replace("HKLM", r"\REGISTRY\MACHINE").replace("HKU", r"\REGISTRY\USER") for x in value] return value @@ -113,49 +130,53 @@ def get_condition(self, condition_str, keys: list[str], field_map: dict[str, str def need_field_conversion(self) -> bool: """ - process_creationルールのSysmon/Securityイベント用のフィールド変換要否を判定 + process_creation/registry_xxルールのSysmon/Securityイベント用のフィールド変換要否を判定 """ if self.category == "antivirus": return True if self.category == "process_creation" and self.event_id == 4688: return True + if (self.category == "registry_set" or self.category == "registry_add" or self.category == "registry_event" or self.category == "registry_delete") and self.event_id == 4657: + return True return False - def is_convertible(self, obj: dict) -> bool: + def is_detectable_fields(self, keys, func) -> bool: + common_fields = ["CommandLine", "ProcessId"] + keys = [re.sub(r"\|.*", "", k) for k in keys] + keys = [k for k in keys if k not in common_fields] + if not keys: + return True + elif self.event_id == 4688: + return not func([k in WINDOWS_SYSMON_PROCESS_CREATION_FIELDS for k in keys]) + elif self.event_id == 1: + return not func([k in WINDOWS_SECURITY_PROCESS_CREATION_FIELDS for k in keys]) + elif self.event_id == 4657: + return not func([k in WINDOWS_SYSMON_REGISTRY_EVENT_FIELDS for k in keys]) + elif self.event_id == 12 or self.event_id == 13 or self.event_id == 14: + return not func([k in WINDOWS_SECURITY_REGISTRY_EVENT_FIELDS for k in keys]) + return True + + def is_detectable(self, obj: dict) -> bool: """ - process_creationルールのSysmon/Securityイベント用変換後フィールドの妥当性チェック + process_creation/registry_xxルールののSysmon/Securityイベント用変換後フィールドの妥当性チェック """ - if self.category != "process_creation": + if self.category != "process_creation" and self.category != "registry_set" and self.category != "registry_add" and self.category != "registry_event" and self.category == "registry_delete" : return True - common_fields = ["CommandLine", "ProcessId"] for key in obj.keys(): - if key in ["condition", "process_creation", "timeframe"]: + if key in ["condition", "process_creation", "timeframe", "registry_set", "registry_add", "registry_event", "registry_delete"]: continue val_obj = obj[key] - is_convertible = True + is_detectable = True if isinstance(val_obj, dict): - keys = [re.sub(r"\|.*", "", k) for k in val_obj.keys()] - keys = [k for k in keys if k not in common_fields] - if not keys: - is_convertible = True - elif self.event_id == 4688: - is_convertible = not any([k in WINDOWS_SYSMON_PROCESS_CREATION_FIELDS for k in keys]) - elif self.event_id == 1: - is_convertible = not any([k in WINDOWS_SECURITY_PROCESS_CREATION_FIELDS for k in keys]) + keys = val_obj.keys() + is_detectable = self.is_detectable_fields(keys, any) elif isinstance(val_obj, list): if not [v for v in val_obj if isinstance(v, dict)]: continue keys = [list(k.keys()) for k in val_obj] keys = reduce(lambda a, b: a + b, keys) - keys = [re.sub(r"\|.*", "", k) for k in keys] - keys = [k for k in keys if k not in common_fields] - if not keys: - is_convertible = True - elif self.event_id == 4688: - is_convertible = not all([k in WINDOWS_SYSMON_PROCESS_CREATION_FIELDS for k in keys]) - elif self.event_id == 1: - is_convertible = not all([k in WINDOWS_SECURITY_PROCESS_CREATION_FIELDS for k in keys]) - if not is_convertible: + is_detectable = self.is_detectable_fields(keys, all) + if not is_detectable: return False return True @@ -269,7 +290,7 @@ def convert(self): key = re.sub(r"\.", "_", key) # Hayabusa側でSearch-identifierにドットを含むルールに対応していないため、変換 val = self.transform_field_recursive(ls.category, val, ls.need_field_conversion()) new_obj['detection'][key] = val - if " of " not in new_obj['detection']['condition'] and not ls.is_convertible(new_obj['detection']): + if " of " not in new_obj['detection']['condition'] and not ls.is_detectable(new_obj['detection']): LOGGER.error(f"This rule has incompatible field.{new_obj['detection']}. skip conversion.") return field_map = self.field_map[ls.category] if ls.category in self.field_map else dict() @@ -347,14 +368,14 @@ def create_obj(base_dir: Optional[str], file_name: str) -> dict: sys.exit(1) -def create_field_map(obj: dict) -> dict[str, str]: +def create_field_map(key:str, obj: dict) -> dict[str, str]: """ カテゴリcreate_process用のフィールド名をマッピングするdict作成 """ - if 'fieldmappings' not in obj: - LOGGER.error("invalid yaml. key[fieldmappings] not found.") + if key not in obj: + LOGGER.error(f"invalid yaml. key[{key}] not found.") sys.exit(1) - field_map = obj['fieldmappings'] + field_map = obj[key] return field_map @@ -466,9 +487,10 @@ def find_windows_sigma_rule_files(root: str, rule_pattern: str): win_antivirus_map = create_category_map(create_obj(script_dir, 'windows-antivirus.yaml'), service2channel) all_category_map = merge_category_map(service2channel, [sysmon_map, win_audit_map, win_service_map, win_antivirus_map]) - process_creation_field_map = create_field_map(create_obj(script_dir, 'windows-audit.yaml')) - antivirus_field_map = create_field_map(create_obj(script_dir, 'windows-antivirus.yaml')) - field_map = {"process_creation": process_creation_field_map} | {"antivirus": antivirus_field_map} + process_creation_field_map = create_field_map("fieldmappings_process", create_obj(script_dir, 'windows-audit.yaml')) + registry_field_map = create_field_map("fieldmappings_registry", create_obj(script_dir, 'windows-audit.yaml')) + antivirus_field_map = create_field_map("fieldmappings", create_obj(script_dir, 'windows-antivirus.yaml')) + field_map = {"process_creation": process_creation_field_map} | {"antivirus": antivirus_field_map} | {"registry_set": registry_field_map}| {"registry_add": registry_field_map}| {"registry_event": registry_field_map}| {"registry_delete": registry_field_map} LOGGER.info(f"Loading logsource mapping yaml(sysmon/windows-audit/windows-services) done.") # Sigmaディレクトリから対象ファイルをリストアップ diff --git a/tools/sigmac/windows-audit.yaml b/tools/sigmac/windows-audit.yaml index 8f000d8dc..130ee5538 100644 --- a/tools/sigmac/windows-audit.yaml +++ b/tools/sigmac/windows-audit.yaml @@ -40,11 +40,17 @@ logsources: rewrite: product: windows service: security -fieldmappings: +fieldmappings_process: Image: NewProcessName ProcessId: NewProcessId ParentImage: ParentProcessName ParentProcessId: ProcessId LogonId: SubjectLogonId IntegrityLevel: MandatoryLabel - User: SubjectUserName \ No newline at end of file + User: SubjectUserName +fieldmappings_registry: + Image: ProcessName + User: SubjectUserName + Details: NewValue + EventType: OperationType + TargetObject: ObjectName \ No newline at end of file